From mboxrd@z Thu Jan 1 00:00:00 1970 From: Avi Kivity Subject: Re: guest MAC-address isolation Date: Wed, 25 Aug 2010 13:30:25 +0300 Message-ID: <4C74F0C1.6070106@redhat.com> References: <1798815715.138.1282326482123.JavaMail.root@mail> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: kvm@vger.kernel.org To: Robert Rebstock Return-path: Received: from mx1.redhat.com ([209.132.183.28]:35241 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753149Ab0HYKad (ORCPT ); Wed, 25 Aug 2010 06:30:33 -0400 In-Reply-To: <1798815715.138.1282326482123.JavaMail.root@mail> Sender: kvm-owner@vger.kernel.org List-ID: On 08/20/2010 08:48 PM, Robert Rebstock wrote: > Hello. > Thank you for your answer. > >> ----- Original Message ----- >> From: "Avi Kivity" >> To: "Robert Rebstock" >> Cc: kvm@vger.kernel.org >> Sent: Tuesday, August 17, 2010 11:36:41 AM >> Subject: Re: guest MAC-address isolation >> >> On 08/06/2010 08:09 PM, Robert Rebstock wrote: >>> Hello all, >>> >>> can anyone recommend a better way to achieve (guest agnostic) MAC-address >>> isolation in qemu/kvm then with user-mode networking? >>> >>> I have multiple guests requiring the same MAC-address, and user-mode/slirp >>> networking is quite slow. >>> >> You can put the different guests on different bridges, and use IP >> routing to connect the two bridges; or you can use ebtables to mangle >> the MAC addresses. >> > Could you possibly give me an example? Unfortunately my networking skills are not the best, > which is not to say that I don't try. The best I can do, after reading the > documentation I could find, is: > > ebtables -t nat -A PREROUTING -d 00:11:11:11:11:11 -j dnat --to-dest 00:01:23:45:67:89 --dnat-target ACCEPT > ebtables -t nat -A POSTROUTING -s 00:01:23:45:67:89 -j snat --to-src 00:11:11:11:11:11 --snat-arp --snat-target ACCEPT > > but I can see no way to mangle multiple identical MACs so as to achieve layer-2 > isolation for my snapshotted VMs. > You could use --in-interface to select packets based on which guest they originated from (for snat). -- I have a truly marvellous patch that fixes the bug which this signature is too narrow to contain.