This hook requires ebtables to be available in all the OpenNebula Hosts.

Although this is the most easily usable hook, since it doesn't require any special hardware or any software configuration it lacks the ability of sharing IPs amongst different VNETs, that is, if an VNET is using leases of 192.168.0.0/24, another VNET can't be using IPs in the same network.

It is also worth mentioning that the filtering isn't always adequate on all bridges. Namely for public bridges this filtering shouldn't be activated. Therefore it's recommended to uncomment the FILTERED_BRIDGES line in /var/lib/one/remotes/hooks/vnm/ebtables-vlan, and specify a list of bridges that should be filtered.

Since this functionality is provided through a hook it won't be effective after a migration since the hook won't be triggered again in the target host.

• ebtables package installed.
• sudoers configured so oneadmin can execute ebtables in the hosts.

To activate the hook, uncomment the following snippet in oned.conf:

VM_HOOK = [
    name      = "ebtables-vlan-on",
    on        = "RUNNING",
    command   = "vnm/ebtables-vlan",
    arguments = "on $TEMPLATE",
    remote    = "yes" ]
 
VM_HOOK = [
    name      = "ebtables-vlan-off",
    on        = "DONE",
    command   = "vnm/ebtables-vlan",
    arguments = "off $TEMPLATE",
    remote    = "yes" ]

There are no special attributes required, ebtables-vlan hook will run automatically if configured.

This section lists the EBTABLES rules that are created:

# Drop packets that don't match the network's MAC Address
-s ! <mac_address>/ff:ff:ff:ff:ff:0 -o <tap_device> -j DROP 
# Prevent MAC spoofing
-s ! <mac_address> -i <tap_device> -j DROP