#ebtables

Daniel Berrange wrote this some time ago. It has since been rolled into various editions of official RH and Fedora documentation. I like to go back to this for reference though as it is very clear: http://www.redhat.com/archives/libvir-list/2010-June/msg00762.html

In addition, this ServerFault question about avoiding insert of REJECT rules upon restart of the host iptables is worth understanding. Two solutions are proferred, one of which is to use the newer firewalld and the other which is to use custom NAT networks (hence the relevance to the above Berrange overview).

Iptables provides filters for IP packets and ebtables provides filters for Ethernet packets (for example MAC addresses). Ebtables can be used to control ethernet frames in network bridges. Libvirt uses ebtables to filter network traffic of virtual machines. Since I did not find an easy way to save and load the rules of ebtables, I provide my own commands here:

# download ebtables source code: # http://sourceforge.net/projects/ebtables/files/ebtables/ebtables-2-0-10-4/ebtables-v2.0.10-4.tar.gz/download tar xzvf ebtables-v2.0.10-4.tar.gz cd ebtables-v2.0.10-4/ # save ebtables: sed -i 's|__EXEC_PATH__|/sbin|g' ebtables-save perl ebtables-save > ebtables-save.txt # the restore program did not work: ebtables-restore < ebtables-save.txt Bad table name 'nat' # list the NAT table (network address translation) ebtables -t nat -L # restore ebtables - my own version: # load ebtables (only the NAT part): grep -A1000 "^*nat" ebtables-save.txt > ebtables-save-nat.txt # delete all rules first echo "ebtables -t nat -F;ebtables -t nat -X" > ebtables-commands.sh # translate the saved rules to ebtables commands: sed -e 's|*nat|#|' -e 's|^:\([^ ]*\) \(.*\)|ebtables -t nat -N \1 -P \2|' -e 's|^-\(.*\)|ebtables -t nat -\1|' ebtables-save-nat.txt >> ebtables-commands.sh # execute the commands bash ebtables-commands.sh