2009-07-21 10:45:54 +00:00
#!/usr/bin/env ruby
2009-10-27 17:03:02 +00:00
2009-10-29 17:53:02 +00:00
# -------------------------------------------------------------------------- #
2011-02-25 14:34:44 +01:00
# Copyright 2002-2011, OpenNebula Project Leads (OpenNebula.org) #
2009-10-29 17:53:02 +00:00
# #
# Licensed under the Apache License, Version 2.0 (the "License"); you may #
# not use this file except in compliance with the License. You may obtain #
# a copy of the License at #
# #
# http://www.apache.org/licenses/LICENSE-2.0 #
# #
# Unless required by applicable law or agreed to in writing, software #
# distributed under the License is distributed on an "AS IS" BASIS, #
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. #
# See the License for the specific language governing permissions and #
# limitations under the License. #
#--------------------------------------------------------------------------- #
2011-02-10 18:56:32 +01:00
#------------------------------------------------------------------------------
# Configuration Options for the script. Change it to fit your installation
#------------------------------------------------------------------------------
CONF = {
:ebtables => "sudo /sbin/ebtables",
:brctl => "/usr/sbin/brctl",
:xm => "sudo /usr/sbin/xm"
}
#------------------------------------------------------------------------------
2009-10-29 17:53:02 +00:00
2011-02-10 18:56:32 +01:00
#------------------------------------------------------------------------------
# Applies a given rule to the ebtables
#------------------------------------------------------------------------------
2009-07-21 10:45:54 +00:00
def activate(rule)
2011-02-10 18:56:32 +01:00
system "#{CONF[:ebtables]} -A #{rule}"
2009-07-21 10:45:54 +00:00
end
2011-02-10 18:56:32 +01:00
#------------------------------------------------------------------------------
2009-10-27 17:03:02 +00:00
2011-02-10 18:56:32 +01:00
#------------------------------------------------------------------------------
# Gets the interfaces attached to a given bridge
#------------------------------------------------------------------------------
def get_interfaces
bridges = Hash.new
brctl_exit =`#{CONF[:brctl]} show`
2009-10-29 17:53:02 +00:00
cur_bridge = ""
2011-02-10 18:56:32 +01:00
2009-10-29 17:53:02 +00:00
brctl_exit.split("\n")[1..-1].each do |l|
l = l.split
2011-02-10 18:56:32 +01:00
2009-10-29 17:53:02 +00:00
if l.length > 1
cur_bridge = l[0]
2011-02-10 18:56:32 +01:00
2009-10-29 17:53:02 +00:00
bridges[cur_bridge] = Array.new
bridges[cur_bridge] << l[3]
else
bridges[cur_bridge] << l[0]
end
end
2011-02-10 18:56:32 +01:00
2009-10-29 17:53:02 +00:00
bridges
end
2011-02-10 18:56:32 +01:00
#------------------------------------------------------------------------------
2009-10-29 17:53:02 +00:00
2011-02-10 18:56:32 +01:00
###############################################################################
# Main
###############################################################################
2009-10-29 17:53:02 +00:00
2011-02-10 18:56:32 +01:00
VM_NAME = ARGV[0]
vm_id =`#{CONF[:xm]} domid #{VM_NAME}`.strip
networks =`#{CONF[:xm]} network-list #{vm_id}`.split("\n")[1..-1]
2009-10-27 17:03:02 +00:00
2009-10-29 17:53:02 +00:00
interfaces = get_interfaces
2009-07-21 10:45:54 +00:00
networks.each {|net|
2011-02-10 18:56:32 +01:00
n = net.split
iface_id = n[0]
iface_mac = n[2]
2009-10-27 17:03:02 +00:00
2011-02-10 18:56:32 +01:00
tap = "vif#{vm_id}.#{iface_id}"
2009-10-27 17:03:02 +00:00
2009-10-29 17:53:02 +00:00
if interfaces.include? tap
2011-02-10 18:56:32 +01:00
mac = iface_mac.split(':')
mac[-1] = '00'
2009-10-29 17:53:02 +00:00
2011-02-10 18:56:32 +01:00
net_mac = mac.join(':')
2009-10-29 17:53:02 +00:00
2011-02-10 18:56:32 +01:00
in_rule = "FORWARD -s ! #{net_mac}/ff:ff:ff:ff:ff:00 -o #{tap} -j DROP"
out_rule = "FORWARD -s ! #{iface_mac} -i #{tap} -j DROP"
2009-10-27 17:03:02 +00:00
2009-10-29 17:53:02 +00:00
activate(in_rule)
activate(out_rule)
end
2009-07-21 10:45:54 +00:00
}
