root / docs / index.rst @ 126f8f4e
History | View | Annotate | Download (9.9 kB)
| 1 | 126f8f4e | Dimitris Aragiorgis | .. snf-network documentation master file, created by |
|---|---|---|---|
| 2 | 126f8f4e | Dimitris Aragiorgis | sphinx-quickstart on Wed Feb 12 20:00:16 2014. |
| 3 | 126f8f4e | Dimitris Aragiorgis | You can adapt this file completely to your liking, but it should at least |
| 4 | 126f8f4e | Dimitris Aragiorgis | contain the root `toctree` directive. |
| 5 | 126f8f4e | Dimitris Aragiorgis | |
| 6 | 126f8f4e | Dimitris Aragiorgis | Welcome to snf-network's documentation! |
| 7 | 126f8f4e | Dimitris Aragiorgis | ======================================= |
| 8 | 126f8f4e | Dimitris Aragiorgis | |
| 9 | 126f8f4e | Dimitris Aragiorgis | snf-network is a set of scripts that handle the network configuration of |
| 10 | 126f8f4e | Dimitris Aragiorgis | an instance inside a Ganeti cluster. It takes advantange of the |
| 11 | 126f8f4e | Dimitris Aragiorgis | variables that Ganeti exports to their execution environment and issue |
| 12 | 126f8f4e | Dimitris Aragiorgis | all the necessary commands to ensure network connectivity to the instance |
| 13 | 126f8f4e | Dimitris Aragiorgis | based on the requested setup. |
| 14 | 126f8f4e | Dimitris Aragiorgis | |
| 15 | 126f8f4e | Dimitris Aragiorgis | Environment |
| 16 | 126f8f4e | Dimitris Aragiorgis | ----------- |
| 17 | 126f8f4e | Dimitris Aragiorgis | |
| 18 | 126f8f4e | Dimitris Aragiorgis | Ganeti supports `IP pool management |
| 19 | 126f8f4e | Dimitris Aragiorgis | <http://docs.ganeti.org/ganeti/master/html/design-network.html>`_ |
| 20 | 126f8f4e | Dimitris Aragiorgis | so that end-user can put instances inside networks and get all information |
| 21 | 126f8f4e | Dimitris Aragiorgis | related to the network in scripts. Specifically the following options are |
| 22 | 126f8f4e | Dimitris Aragiorgis | exported: |
| 23 | 126f8f4e | Dimitris Aragiorgis | |
| 24 | 126f8f4e | Dimitris Aragiorgis | * IP |
| 25 | 126f8f4e | Dimitris Aragiorgis | * MAC |
| 26 | 126f8f4e | Dimitris Aragiorgis | * MODE |
| 27 | 126f8f4e | Dimitris Aragiorgis | * LINK |
| 28 | 126f8f4e | Dimitris Aragiorgis | |
| 29 | 126f8f4e | Dimitris Aragiorgis | are per NIC specific, whereas: |
| 30 | 126f8f4e | Dimitris Aragiorgis | |
| 31 | 126f8f4e | Dimitris Aragiorgis | * NETWORK_SUBNET |
| 32 | 126f8f4e | Dimitris Aragiorgis | * NETWORK_GATEWAY |
| 33 | 126f8f4e | Dimitris Aragiorgis | * NETWORK_MAC_PREFIX |
| 34 | 126f8f4e | Dimitris Aragiorgis | * NETWORK_TAGS |
| 35 | 126f8f4e | Dimitris Aragiorgis | * NETWORK_SUBNET6 |
| 36 | 126f8f4e | Dimitris Aragiorgis | * NETWORK_GATEWAY6 |
| 37 | 126f8f4e | Dimitris Aragiorgis | |
| 38 | 126f8f4e | Dimitris Aragiorgis | are inherited by the network in which a NIC resides (optional). |
| 39 | 126f8f4e | Dimitris Aragiorgis | |
| 40 | 126f8f4e | Dimitris Aragiorgis | Scripts |
| 41 | 126f8f4e | Dimitris Aragiorgis | ------- |
| 42 | 126f8f4e | Dimitris Aragiorgis | |
| 43 | 126f8f4e | Dimitris Aragiorgis | The scripts can be devided into two categories: |
| 44 | 126f8f4e | Dimitris Aragiorgis | |
| 45 | 126f8f4e | Dimitris Aragiorgis | 1. The scripts that are invoked explicitly by Ganeti upon NIC creation. |
| 46 | 126f8f4e | Dimitris Aragiorgis | |
| 47 | 126f8f4e | Dimitris Aragiorgis | 2. The scripts that are invoked by Ganeti Hooks Manager before or after an |
| 48 | 126f8f4e | Dimitris Aragiorgis | opcode execution. |
| 49 | 126f8f4e | Dimitris Aragiorgis | |
| 50 | 126f8f4e | Dimitris Aragiorgis | The first group has the exact NIC info that is about to be configured where |
| 51 | 126f8f4e | Dimitris Aragiorgis | the latter one has the info of the whole instance. The big difference is that |
| 52 | 126f8f4e | Dimitris Aragiorgis | instance configuration (from the master perspective) might vary or be total |
| 53 | 126f8f4e | Dimitris Aragiorgis | different from the one that is currently running. The reason is that some |
| 54 | 126f8f4e | Dimitris Aragiorgis | modifications can take place without hotplug. |
| 55 | 126f8f4e | Dimitris Aragiorgis | |
| 56 | 126f8f4e | Dimitris Aragiorgis | |
| 57 | 126f8f4e | Dimitris Aragiorgis | kvm-ifup-custom |
| 58 | 126f8f4e | Dimitris Aragiorgis | ^^^^^^^^^^^^^^^ |
| 59 | 126f8f4e | Dimitris Aragiorgis | |
| 60 | 126f8f4e | Dimitris Aragiorgis | Ganeti upon instance startup and NIC hotplug creates the TAP devices to |
| 61 | 126f8f4e | Dimitris Aragiorgis | reflect to the instance's NICs. After that it invokes the Ganeti's `kvm-ifup` |
| 62 | 126f8f4e | Dimitris Aragiorgis | script with the TAP name as first argument and an environment including |
| 63 | 126f8f4e | Dimitris Aragiorgis | all NIC's and the corresponding network's info. This script searches for |
| 64 | 126f8f4e | Dimitris Aragiorgis | a user provided one under `/etc/ganeti/kvm-ifup-custom` and executes it |
| 65 | 126f8f4e | Dimitris Aragiorgis | instead. |
| 66 | 126f8f4e | Dimitris Aragiorgis | |
| 67 | 126f8f4e | Dimitris Aragiorgis | |
| 68 | 126f8f4e | Dimitris Aragiorgis | kvm-ifdown-custom |
| 69 | 126f8f4e | Dimitris Aragiorgis | ^^^^^^^^^^^^^^^^^ |
| 70 | 126f8f4e | Dimitris Aragiorgis | |
| 71 | 126f8f4e | Dimitris Aragiorgis | In order to cleanup or modify the node's setup or the configuration of an |
| 72 | 126f8f4e | Dimitris Aragiorgis | external component, Ganeti upon instance shutdown, successful instance |
| 73 | 126f8f4e | Dimitris Aragiorgis | migration on source node and NIC hot-unplug invokes `kvm-ifdown` script |
| 74 | 126f8f4e | Dimitris Aragiorgis | with the TAP name as first argument and a boolean second argument pointing |
| 75 | 126f8f4e | Dimitris Aragiorgis | whether we want to do local cleanup only (in case of instance migration) or |
| 76 | 126f8f4e | Dimitris Aragiorgis | totally unconfigure the interface along with e.g., any DNS entries (in case |
| 77 | 126f8f4e | Dimitris Aragiorgis | of NIC hot-unplug). This script searches for a user provided one under |
| 78 | 126f8f4e | Dimitris Aragiorgis | `/etc/ganeti/kvm-ifdown-custom` and executes it instead. |
| 79 | 126f8f4e | Dimitris Aragiorgis | |
| 80 | 126f8f4e | Dimitris Aragiorgis | |
| 81 | 126f8f4e | Dimitris Aragiorgis | vif-custom |
| 82 | 126f8f4e | Dimitris Aragiorgis | ^^^^^^^^^^ |
| 83 | 126f8f4e | Dimitris Aragiorgis | |
| 84 | 126f8f4e | Dimitris Aragiorgis | Ganeti provides a hypervisor parameter that defines the script to be executed |
| 85 | 126f8f4e | Dimitris Aragiorgis | per NIC upon instance startup: `vif-script`. Ganeti provides `vif-ganeti` as |
| 86 | 126f8f4e | Dimitris Aragiorgis | example script which executes `/etc/xen/scripts/vif-custom` if found. |
| 87 | 126f8f4e | Dimitris Aragiorgis | |
| 88 | 126f8f4e | Dimitris Aragiorgis | |
| 89 | 126f8f4e | Dimitris Aragiorgis | snf-network-hook |
| 90 | 126f8f4e | Dimitris Aragiorgis | ^^^^^^^^^^^^^^^^ |
| 91 | 126f8f4e | Dimitris Aragiorgis | |
| 92 | 126f8f4e | Dimitris Aragiorgis | This hook gets all static info related to an instance from evironment variables |
| 93 | 126f8f4e | Dimitris Aragiorgis | and issues any commands needed. It was used to fix node's setup upon migration |
| 94 | 126f8f4e | Dimitris Aragiorgis | when ifdown script was not supported but now it does nothing. |
| 95 | 126f8f4e | Dimitris Aragiorgis | |
| 96 | 126f8f4e | Dimitris Aragiorgis | |
| 97 | 126f8f4e | Dimitris Aragiorgis | snf-network-dnshook |
| 98 | 126f8f4e | Dimitris Aragiorgis | ^^^^^^^^^^^^^^^^^^^ |
| 99 | 126f8f4e | Dimitris Aragiorgis | |
| 100 | 126f8f4e | Dimitris Aragiorgis | This hook updates an external `DDNS <https://wiki.debian.org/DDNS>`_ setup via |
| 101 | 126f8f4e | Dimitris Aragiorgis | ``nsupdate``. Since we add/remove entries during ifup/ifdown scripts, we use |
| 102 | 126f8f4e | Dimitris Aragiorgis | this only during instance remove/shutdown/rename. It does not rely on exported |
| 103 | 126f8f4e | Dimitris Aragiorgis | environment but it queries first the DNS server to obtain current entries and |
| 104 | 126f8f4e | Dimitris Aragiorgis | then it invokes the neccessary commands to remove them (and the relevant |
| 105 | 126f8f4e | Dimitris Aragiorgis | reverse ones too). |
| 106 | 126f8f4e | Dimitris Aragiorgis | |
| 107 | 126f8f4e | Dimitris Aragiorgis | |
| 108 | 126f8f4e | Dimitris Aragiorgis | Supported Setups |
| 109 | 126f8f4e | Dimitris Aragiorgis | ---------------- |
| 110 | 126f8f4e | Dimitris Aragiorgis | |
| 111 | 126f8f4e | Dimitris Aragiorgis | Currently since NICs in Ganeti are not taggable objects, we use network's and |
| 112 | 126f8f4e | Dimitris Aragiorgis | instance's tags to customize each NIC configuration. NIC inherits the network's |
| 113 | 126f8f4e | Dimitris Aragiorgis | tags (if attached to any) and further customization can be achieved with |
| 114 | 126f8f4e | Dimitris Aragiorgis | instance tags e.g. <tag prefix>:<nic uuid or name>:<tag>. In the following |
| 115 | 126f8f4e | Dimitris Aragiorgis | subsections we will mention all supported tags and their reflected underline |
| 116 | 126f8f4e | Dimitris Aragiorgis | setup. |
| 117 | 126f8f4e | Dimitris Aragiorgis | |
| 118 | 126f8f4e | Dimitris Aragiorgis | |
| 119 | 126f8f4e | Dimitris Aragiorgis | ip-less-routed |
| 120 | 126f8f4e | Dimitris Aragiorgis | ^^^^^^^^^^^^^^ |
| 121 | 126f8f4e | Dimitris Aragiorgis | |
| 122 | 126f8f4e | Dimitris Aragiorgis | This setup has the following characteristics: |
| 123 | 126f8f4e | Dimitris Aragiorgis | |
| 124 | 126f8f4e | Dimitris Aragiorgis | * An external gateway on the same collition domain with all nodes on some |
| 125 | 126f8f4e | Dimitris Aragiorgis | interface (e.g. eth1, eth0.200) is needed. |
| 126 | 126f8f4e | Dimitris Aragiorgis | * Each node is a router for the hostes VMs |
| 127 | 126f8f4e | Dimitris Aragiorgis | * The node itself does not have an IP inside the routed network |
| 128 | 126f8f4e | Dimitris Aragiorgis | * The node does proxy ARP for IPv4 networks |
| 129 | 126f8f4e | Dimitris Aragiorgis | * The node does proxy NDP for IPv6 networks while RA and NA are |
| 130 | 126f8f4e | Dimitris Aragiorgis | * RS and NS are served locally by |
| 131 | 126f8f4e | Dimitris Aragiorgis | `nfdhcpd <http://www.synnefo.org/docs/nfdhcpd/latest/index.html>`_ |
| 132 | 126f8f4e | Dimitris Aragiorgis | since the VMs are not on the same link with the router. |
| 133 | 126f8f4e | Dimitris Aragiorgis | |
| 134 | 126f8f4e | Dimitris Aragiorgis | Lets analyze a simple PING from an instance to an external IP using this setup. |
| 135 | 126f8f4e | Dimitris Aragiorgis | We assume the following: |
| 136 | 126f8f4e | Dimitris Aragiorgis | |
| 137 | 126f8f4e | Dimitris Aragiorgis | * ``IP`` is the instance's IP |
| 138 | 126f8f4e | Dimitris Aragiorgis | * ``GW_IP`` is the external router's IP |
| 139 | 126f8f4e | Dimitris Aragiorgis | * ``NODE_IP`` is the node's IP |
| 140 | 126f8f4e | Dimitris Aragiorgis | * ``ARP_IP`` is a dummy IP inside the network needed for proxy ARP |
| 141 | 126f8f4e | Dimitris Aragiorgis | |
| 142 | 126f8f4e | Dimitris Aragiorgis | * ``MAC`` is the instance's MAC |
| 143 | 126f8f4e | Dimitris Aragiorgis | * ``TAP_MAC`` is the tap's MAC |
| 144 | 126f8f4e | Dimitris Aragiorgis | * ``DEV_MAC`` is the host's DEV MAC |
| 145 | 126f8f4e | Dimitris Aragiorgis | * ``GW_MAC`` is the external router's MAC |
| 146 | 126f8f4e | Dimitris Aragiorgis | |
| 147 | 126f8f4e | Dimitris Aragiorgis | * ``DEV`` is the node's device that the router is visible from |
| 148 | 126f8f4e | Dimitris Aragiorgis | * ``TAP`` is the host interface connected with the instance's eth0 |
| 149 | 126f8f4e | Dimitris Aragiorgis | |
| 150 | 126f8f4e | Dimitris Aragiorgis | Since we suppose to be on the same link with the router, ARP takes place first: |
| 151 | 126f8f4e | Dimitris Aragiorgis | |
| 152 | 126f8f4e | Dimitris Aragiorgis | 1) The VM wants to know the GW_MAC. Since the traffic is routed we do proxy ARP. |
| 153 | 126f8f4e | Dimitris Aragiorgis | |
| 154 | 126f8f4e | Dimitris Aragiorgis | - ARP, Request who-has GW_IP tell IP |
| 155 | 126f8f4e | Dimitris Aragiorgis | - ARP, Reply GW_IP is-at TAP_MAC ``echo 1 > /proc/sys/net/conf/TAP/proxy_arp`` |
| 156 | 126f8f4e | Dimitris Aragiorgis | - So `arp -na` insided the VM shows: ``(GW_IP) at TAP_MAC [ether] on eth0`` |
| 157 | 126f8f4e | Dimitris Aragiorgis | |
| 158 | 126f8f4e | Dimitris Aragiorgis | 2) The host wants to know the GW_MAC. Since the node does **not** have an IP |
| 159 | 126f8f4e | Dimitris Aragiorgis | inside the network we use the dummy one specified above. |
| 160 | 126f8f4e | Dimitris Aragiorgis | |
| 161 | 126f8f4e | Dimitris Aragiorgis | - ARP, Request who-has GW_IP tell ARP_IP (Created by DEV) |
| 162 | 126f8f4e | Dimitris Aragiorgis | ``arptables -I OUTPUT -o DEV --opcode 1 -j mangle --mangle-ip-s ARP_IP`` |
| 163 | 126f8f4e | Dimitris Aragiorgis | - ARP, Reply GW_IP is-at GW_MAC |
| 164 | 126f8f4e | Dimitris Aragiorgis | |
| 165 | 126f8f4e | Dimitris Aragiorgis | 3) The host wants to know MAC so that it can proxy it. |
| 166 | 126f8f4e | Dimitris Aragiorgis | |
| 167 | 126f8f4e | Dimitris Aragiorgis | - We simulate here that the VM sees **only** GW on the link. |
| 168 | 126f8f4e | Dimitris Aragiorgis | - ARP, Request who-has IP tell GW_IP (Created by TAP) |
| 169 | 126f8f4e | Dimitris Aragiorgis | ``arptables -I OUTPUT -o TAP --opcode 1 -j mangle --mangle-ip-s GW_IP`` |
| 170 | 126f8f4e | Dimitris Aragiorgis | - So `arp -na` inside the host shows: |
| 171 | 126f8f4e | Dimitris Aragiorgis | ``(GW_IP) at GW_MAC [ether] on DEV, (IP) at MAC on TAP`` |
| 172 | 126f8f4e | Dimitris Aragiorgis | |
| 173 | 126f8f4e | Dimitris Aragiorgis | 4) GW wants to know who does proxy for IP. |
| 174 | 126f8f4e | Dimitris Aragiorgis | |
| 175 | 126f8f4e | Dimitris Aragiorgis | - ARP, Request who-has IP tell GW_IP |
| 176 | 126f8f4e | Dimitris Aragiorgis | - ARP, Reply IP is-at DEV_MAC (Created by host's DEV) |
| 177 | 126f8f4e | Dimitris Aragiorgis | |
| 178 | 126f8f4e | Dimitris Aragiorgis | |
| 179 | 126f8f4e | Dimitris Aragiorgis | With the above we have a working proxy ARP configuration. The rest is done |
| 180 | 126f8f4e | Dimitris Aragiorgis | via simple L3 routing. Lets assume the following: |
| 181 | 126f8f4e | Dimitris Aragiorgis | |
| 182 | 126f8f4e | Dimitris Aragiorgis | * ``TABLE`` is the extra routing table |
| 183 | 126f8f4e | Dimitris Aragiorgis | * ``SUBNET`` is the IPv4 subnet where the VM's IP reside |
| 184 | 126f8f4e | Dimitris Aragiorgis | |
| 185 | 126f8f4e | Dimitris Aragiorgis | 1) Outgoing traffic: |
| 186 | 126f8f4e | Dimitris Aragiorgis | |
| 187 | 126f8f4e | Dimitris Aragiorgis | - Traffic coming out of TAP is routed via TABLE |
| 188 | 126f8f4e | Dimitris Aragiorgis | ``ip rule add dev TAP table TABLE`` |
| 189 | 126f8f4e | Dimitris Aragiorgis | - TABLE states that default route is GW_IP via DEV |
| 190 | 126f8f4e | Dimitris Aragiorgis | ``ip route add default via GW_IP dev DEV`` |
| 191 | 126f8f4e | Dimitris Aragiorgis | |
| 192 | 126f8f4e | Dimitris Aragiorgis | 2) Incoming traffic: |
| 193 | 126f8f4e | Dimitris Aragiorgis | |
| 194 | 126f8f4e | Dimitris Aragiorgis | - Packet arrives at router |
| 195 | 126f8f4e | Dimitris Aragiorgis | - Router knows from proxy ARP that the IP is at DEV_MAC. |
| 196 | 126f8f4e | Dimitris Aragiorgis | - Router sends ethernet packet with tgt DEV_MAC |
| 197 | 126f8f4e | Dimitris Aragiorgis | - Host receives the packet from DEV interface |
| 198 | 126f8f4e | Dimitris Aragiorgis | - Traffic coming out DEV is routed via TABLE |
| 199 | 126f8f4e | Dimitris Aragiorgis | ``ip rule add dev DEV table TABLE`` |
| 200 | 126f8f4e | Dimitris Aragiorgis | - Traffic targeting IP is routed to TAP |
| 201 | 126f8f4e | Dimitris Aragiorgis | ``ip route add IP dev TAP`` |
| 202 | 126f8f4e | Dimitris Aragiorgis | |
| 203 | 126f8f4e | Dimitris Aragiorgis | 3) Host to VM traffic: |
| 204 | 126f8f4e | Dimitris Aragiorgis | |
| 205 | 126f8f4e | Dimitris Aragiorgis | - Impossible if the VM resides in the host |
| 206 | 126f8f4e | Dimitris Aragiorgis | - Otherwise there is a route for it: ``ip route add SUBNET dev DEV`` |
| 207 | 126f8f4e | Dimitris Aragiorgis | |
| 208 | 126f8f4e | Dimitris Aragiorgis | The IPv6 setup is pretty similar but instead of proxy ARP we have proxy NDP |
| 209 | 126f8f4e | Dimitris Aragiorgis | and RS and NS coming from TAP are served by nfdhpcd. RA contain network's |
| 210 | 126f8f4e | Dimitris Aragiorgis | prefix and has M flag unset in order the VM to obtain its IP6 via SLAAC and |
| 211 | 126f8f4e | Dimitris Aragiorgis | O flag set to obtain static info (nameservers, domain search list) via DHCPv6 |
| 212 | 126f8f4e | Dimitris Aragiorgis | (also served by nfdhcpd). |
| 213 | 126f8f4e | Dimitris Aragiorgis | |
| 214 | 126f8f4e | Dimitris Aragiorgis | Again the VM sees on its link local only TAP which is supposed to be the |
| 215 | 126f8f4e | Dimitris Aragiorgis | Router. The host does proxy for IP6 ``ip -6 neigh add EUI64 dev DEV``. |
| 216 | 126f8f4e | Dimitris Aragiorgis | |
| 217 | 126f8f4e | Dimitris Aragiorgis | When an interface gets up inside a host we should invalidate all entries |
| 218 | 126f8f4e | Dimitris Aragiorgis | related to its IP among other nodes and the router. For proxy ARP we do |
| 219 | 126f8f4e | Dimitris Aragiorgis | ``arpsend -U -c 1 -i IP DEV`` and for proxy NDP we do ``ndsend EUI64 DEV`` |
| 220 | 126f8f4e | Dimitris Aragiorgis | |
| 221 | 126f8f4e | Dimitris Aragiorgis | |
| 222 | 126f8f4e | Dimitris Aragiorgis | private-filtered |
| 223 | 126f8f4e | Dimitris Aragiorgis | ^^^^^^^^^^^^^^^^ |
| 224 | 126f8f4e | Dimitris Aragiorgis | |
| 225 | 126f8f4e | Dimitris Aragiorgis | In order to provide L2 isolation among several VMs we can use ebtables on a |
| 226 | 126f8f4e | Dimitris Aragiorgis | **single** bridge. The infrastracture must provide a physical VLAN or separate |
| 227 | 126f8f4e | Dimitris Aragiorgis | interaface shared among all nodes in the cluster. All virtual interfaces will |
| 228 | 126f8f4e | Dimitris Aragiorgis | be bridged on a common bridge (e.g. ``prv0``) and filtering will be done via |
| 229 | 126f8f4e | Dimitris Aragiorgis | ebtables and MAC prefix. The concept is that all interfaces on the same L2 |
| 230 | 126f8f4e | Dimitris Aragiorgis | should have the same MAC prefix. MAC prefix uniqueness is quaranteed by |
| 231 | 126f8f4e | Dimitris Aragiorgis | synnefo and passed to Ganeti as a network option. |
| 232 | 126f8f4e | Dimitris Aragiorgis | |
| 233 | 126f8f4e | Dimitris Aragiorgis | To ensure isolation we should allow traffic coming from tap to have specific |
| 234 | 126f8f4e | Dimitris Aragiorgis | source MAC and at the same time allow traffic coming to tap to have a source |
| 235 | 126f8f4e | Dimitris Aragiorgis | MAC in the same MAC prefix. Applying those rules only in FORWARD chain will not |
| 236 | 126f8f4e | Dimitris Aragiorgis | guarantee isolation. The reason is because packets with target MAC a `mutlicast |
| 237 | 126f8f4e | Dimitris Aragiorgis | address <http://en.wikipedia.org/wiki/Multicast_address>`_ go through INPUT and |
| 238 | 126f8f4e | Dimitris Aragiorgis | OUTPUT chains. To sum up the following ebtables rules are applied: |
| 239 | 126f8f4e | Dimitris Aragiorgis | |
| 240 | 126f8f4e | Dimitris Aragiorgis | .. code-block:: console |
| 241 | 126f8f4e | Dimitris Aragiorgis | |
| 242 | 126f8f4e | Dimitris Aragiorgis | # Create new chains |
| 243 | 126f8f4e | Dimitris Aragiorgis | ebtables -t filter -N FROMTAP5 |
| 244 | 126f8f4e | Dimitris Aragiorgis | ebtables -t filter -N TOTAP5 |
| 245 | 126f8f4e | Dimitris Aragiorgis | |
| 246 | 126f8f4e | Dimitris Aragiorgis | # Filter multicast traffic from VM |
| 247 | 126f8f4e | Dimitris Aragiorgis | ebtables -t filter -A INPUT -i tap5 -j FROMTAP5 |
| 248 | 126f8f4e | Dimitris Aragiorgis | |
| 249 | 126f8f4e | Dimitris Aragiorgis | # Filter multicast traffic to VM |
| 250 | 126f8f4e | Dimitris Aragiorgis | ebtables -t filter -A OUTPUT -o tap5 -j TOTAP5 |
| 251 | 126f8f4e | Dimitris Aragiorgis | |
| 252 | 126f8f4e | Dimitris Aragiorgis | # Filter traffic from VM |
| 253 | 126f8f4e | Dimitris Aragiorgis | ebtables -t filter -A FORWARD -i tap5 -j FROMTAP5 |
| 254 | 126f8f4e | Dimitris Aragiorgis | # Filter traffic to VM |
| 255 | 126f8f4e | Dimitris Aragiorgis | ebtables -t filter -A FORWARD -o tap5 -j TOTAP5 |
| 256 | 126f8f4e | Dimitris Aragiorgis | |
| 257 | 126f8f4e | Dimitris Aragiorgis | # Allow only specific src MAC for outgoing traffic |
| 258 | 126f8f4e | Dimitris Aragiorgis | ebtables -t filter -A FROMTAP5 -s ! aa:55:66:1a:ae:82 -j DROP |
| 259 | 126f8f4e | Dimitris Aragiorgis | # Allow only specific src MAC prefix for incoming traffic |
| 260 | 126f8f4e | Dimitris Aragiorgis | ebtables -t filter -A TOTAP5 -s ! aa:55:60:0:0:0/ff:ff:f0:0:0:0 -j DROP |
| 261 | 126f8f4e | Dimitris Aragiorgis | |
| 262 | 126f8f4e | Dimitris Aragiorgis | |
| 263 | 126f8f4e | Dimitris Aragiorgis | dns |
| 264 | 126f8f4e | Dimitris Aragiorgis | ^^^ |
| 265 | 126f8f4e | Dimitris Aragiorgis | |
| 266 | 126f8f4e | Dimitris Aragiorgis | snf-network can update an external `DDNS <https://wiki.debian.org/DDNS>`_ |
| 267 | 126f8f4e | Dimitris Aragiorgis | server. `ifup` and `ifdown` scripts, if `dns` network tag is found, will use |
| 268 | 126f8f4e | Dimitris Aragiorgis | `nsupdate` and add/remove entries related to the interface that is being |
| 269 | 126f8f4e | Dimitris Aragiorgis | managed. |
| 270 | 126f8f4e | Dimitris Aragiorgis | |
| 271 | 126f8f4e | Dimitris Aragiorgis | |
| 272 | 126f8f4e | Dimitris Aragiorgis | Contents: |
| 273 | 126f8f4e | Dimitris Aragiorgis | |
| 274 | 126f8f4e | Dimitris Aragiorgis | .. toctree:: |
| 275 | 126f8f4e | Dimitris Aragiorgis | :maxdepth: 2 |
| 276 | 126f8f4e | Dimitris Aragiorgis | |
| 277 | 126f8f4e | Dimitris Aragiorgis | |
| 278 | 126f8f4e | Dimitris Aragiorgis | |
| 279 | 126f8f4e | Dimitris Aragiorgis | Indices and tables |
| 280 | 126f8f4e | Dimitris Aragiorgis | ================== |
| 281 | 126f8f4e | Dimitris Aragiorgis | |
| 282 | 126f8f4e | Dimitris Aragiorgis | * :ref:`genindex` |
| 283 | 126f8f4e | Dimitris Aragiorgis | * :ref:`modindex` |
| 284 | 126f8f4e | Dimitris Aragiorgis | * :ref:`search` |