#!/usr/bin/env ruby # -------------------------------------------------------------------------- # # Copyright 2002-2010, OpenNebula Project Leads (OpenNebula.org) # # # # Licensed under the Apache License, Version 2.0 (the "License"); you may # # not use this file except in compliance with the License. You may obtain # # a copy of the License at # # # # http://www.apache.org/licenses/LICENSE-2.0 # # # # Unless required by applicable law or agreed to in writing, software # # distributed under the License is distributed on an "AS IS" BASIS, # # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # # See the License for the specific language governing permissions and # # limitations under the License. # #--------------------------------------------------------------------------- # require 'pp' require 'rexml/document' VM_NAME=ARGV[0] # Uncomment to act only on the listed bridges. #FILTERED_BRIDGES = ['beth0'] def activate(rule) system "sudo ebtables -A #{rule}" end def get_bridges bridges = Hash.new brctl_exit=`brctl show` cur_bridge = "" brctl_exit.split("\n")[1..-1].each do |l| l = l.split if l.length > 1 cur_bridge = l[0] bridges[cur_bridge] = Array.new bridges[cur_bridge] << l[3] else bridges[cur_bridge] << l[0] end end bridges end def get_interfaces bridges = get_bridges if defined? FILTERED_BRIDGES FILTERED_BRIDGES.collect {|k,v| bridges[k]}.flatten else bridges.values.flatten end end nets=`virsh -c qemu:///system dumpxml #{VM_NAME}` doc=REXML::Document.new(nets).root interfaces = get_interfaces() doc.elements.each('/domain/devices/interface') {|net| tap=net.elements['target'].attributes['dev'] if interfaces.include? tap iface_mac=net.elements['mac'].attributes['address'] mac=iface_mac.split(':') mac[-1]='00' net_mac=mac.join(':') in_rule="FORWARD -s ! #{net_mac}/ff:ff:ff:ff:ff:00 -o #{tap} -j DROP" out_rule="FORWARD -s ! #{iface_mac} -i #{tap} -j DROP" activate(in_rule) activate(out_rule) end }