From 28f3546fcfcf906030e2112fda918ce70c3ec4a8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Javier=20Font=C3=A1n=20Mui=C3=B1os?= <jfontan@fdi.ucm.es>
Date: Thu, 17 Sep 2009 16:39:06 +0000
Subject: [PATCH] ebtables script for kvm (#138)

git-svn-id: http://svn.opennebula.org/one/trunk@796 3034c82b-c49b-4eb3-8279-a7acafdc01c0
---
 share/hooks/ebtables-kvm | 44 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)
 create mode 100755 share/hooks/ebtables-kvm

diff --git a/share/hooks/ebtables-kvm b/share/hooks/ebtables-kvm
new file mode 100755
index 0000000000..8c4f2fac57
--- /dev/null
+++ b/share/hooks/ebtables-kvm
@@ -0,0 +1,44 @@
+#!/usr/bin/env ruby
+
+require 'pp'
+require 'rexml/document'
+ 
+COMMAND=ARGV[0]
+VM_NAME=ARGV[1]
+ 
+def activate(rule)
+    system "sudo ebtables -A #{rule}"
+end
+ 
+def deactivate(rule)
+    system "sudo ebtables -D #{rule}"
+end
+ 
+nets=`virsh dumpxml #{VM_NAME}`
+
+doc=REXML::Document.new(nets).root
+ 
+doc.elements.each('/domain/devices/interface') {|net|
+    iface_mac=net.elements['mac'].attributes['address']
+ 
+    mac=iface_mac.split(':')
+    mac[-1]='00'
+    net_mac=mac.join(':')
+ 
+    tap=net.elements['target'].attributes['dev']
+ 
+    in_rule="INPUT -d ! #{iface_mac}/FF:FF:FF:FF:FF:FF -i #{tap} -j DROP"
+    out_rule="OUTPUT -s ! #{net_mac}/FF:FF:FF:FF:FF:00 -o #{tap} -j DROP"
+ 
+    case COMMAND
+    when "start"
+        activate(in_rule)
+        activate(out_rule)
+    when "stop"
+        deactivate(in_rule)
+        deactivate(out_rule)
+    else
+        puts "First parameter should be start or stop"
+    end
+}
+