one/share/hooks/ebtables-kvm

#!/usr/bin/env ruby

# -------------------------------------------------------------------------- #
# Copyright 2002-2010, OpenNebula Project Leads (OpenNebula.org)             #
#                                                                            #
# Licensed under the Apache License, Version 2.0 (the "License"); you may    #
# not use this file except in compliance with the License. You may obtain    #
# a copy of the License at                                                   #
#                                                                            #
# http://www.apache.org/licenses/LICENSE-2.0                                 #
#                                                                            #
# Unless required by applicable law or agreed to in writing, software        #
# distributed under the License is distributed on an "AS IS" BASIS,          #
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   #
# See the License for the specific language governing permissions and        #
# limitations under the License.                                             #
#--------------------------------------------------------------------------- #

require 'pp'
require 'rexml/document'
 
VM_NAME=ARGV[0]

# Uncomment to act only on the listed bridges.
#FILTERED_BRIDGES = ['beth0']

def activate(rule)
    system "sudo ebtables -A #{rule}"
end
 
def get_bridges
    bridges = Hash.new
    brctl_exit=`brctl show`
    cur_bridge = ""
    brctl_exit.split("\n")[1..-1].each do |l| 
        l = l.split
        if l.length > 1
            cur_bridge = l[0]
            bridges[cur_bridge] = Array.new
            bridges[cur_bridge] << l[3]
        else
            bridges[cur_bridge] << l[0]
        end
    end
    bridges
end

def get_interfaces
    bridges = get_bridges
    if defined? FILTERED_BRIDGES
        FILTERED_BRIDGES.collect {|k,v| bridges[k]}.flatten
    else
        bridges.values.flatten
    end
end

nets=`virsh -c qemu:///system dumpxml #{VM_NAME}`

doc=REXML::Document.new(nets).root

interfaces = get_interfaces()

doc.elements.each('/domain/devices/interface') {|net|
    tap=net.elements['target'].attributes['dev']
    if interfaces.include? tap
        iface_mac=net.elements['mac'].attributes['address']
     
        mac=iface_mac.split(':')
        mac[-1]='00'
        net_mac=mac.join(':')
     

        in_rule="FORWARD -s ! #{net_mac}/ff:ff:ff:ff:ff:00 -o #{tap} -j DROP"
        out_rule="FORWARD -s ! #{iface_mac} -i #{tap} -j DROP"
     
        activate(in_rule)
        activate(out_rule)
    end
}