Ebtables 3.0
Network isolation provided through ebtables rules applied on the bridges. This method will only permit isolation with a mask of 255.255.255.0.
This hook requires ebtables
to be available in all the OpenNebula Hosts.
Although this is the most easily usable hook, since it doesn't require any special hardware or any software configuration it lacks the ability of sharing IPs amongst different VNETs, that is, if an VNET is using leases of 192.168.0.0/24, another VNET can't be using IPs in the same network.
It is also worth mentioning that the filtering isn't always adequate on all bridges. Namely for public bridges this filtering shouldn't be activated. Therefore it's recommended to uncomment the FILTERED_BRIDGES
line in /var/lib/one/remotes/hooks/vnm/ebtables-vlan
, and specify a list of bridges that should be filtered.
Since this functionality is provided through a hook it won't be effective after a migration since the hook won't be triggered again in the target host.
ebtables
package installed.sudoers
configured so oneadmin
can execute ebtables
in the hosts.
To activate the hook, uncomment the following snippet in oned.conf
:
VM_HOOK = [ name = "ebtables-vlan-on", on = "RUNNING", command = "vnm/ebtables-vlan", arguments = "on $TEMPLATE", remote = "yes" ] VM_HOOK = [ name = "ebtables-vlan-off", on = "DONE", command = "vnm/ebtables-vlan", arguments = "off $TEMPLATE", remote = "yes" ]
There are no special attributes required, ebtables-vlan
hook will run automatically if configured.
This section lists the EBTABLES rules that are created:
# Drop packets that don't match the network's MAC Address -s ! <mac_address>/ff:ff:ff:ff:ff:0 -o <tap_device> -j DROP # Prevent MAC spoofing -s ! <mac_address> -i <tap_device> -j DROP