How to save and load ebtables rules
Iptables provides filters for IP packets and ebtables provides filters for Ethernet packets (for example MAC addresses). Ebtables can be used to control ethernet frames in network bridges. Libvirt uses ebtables to filter network traffic of virtual machines. Since I did not find an easy way to save and load the rules of ebtables, I provide my own commands here:
# download ebtables source code: # http://sourceforge.net/projects/ebtables/files/ebtables/ebtables-2-0-10-4/ebtables-v2.0.10-4.tar.gz/download tar xzvf ebtables-v2.0.10-4.tar.gz cd ebtables-v2.0.10-4/ # save ebtables: sed -i 's|__EXEC_PATH__|/sbin|g' ebtables-save perl ebtables-save > ebtables-save.txt # the restore program did not work: ebtables-restore < ebtables-save.txt Bad table name 'nat' # list the NAT table (network address translation) ebtables -t nat -L # restore ebtables - my own version: # load ebtables (only the NAT part): grep -A1000 "^*nat" ebtables-save.txt > ebtables-save-nat.txt # delete all rules first echo "ebtables -t nat -F;ebtables -t nat -X" > ebtables-commands.sh # translate the saved rules to ebtables commands: sed -e 's|*nat|#|' -e 's|^:\([^ ]*\) \(.*\)|ebtables -t nat -N \1 -P \2|' -e 's|^-\(.*\)|ebtables -t nat -\1|' ebtables-save-nat.txt >> ebtables-commands.sh # execute the commands bash ebtables-commands.sh
Libvirt uses ebtables in the network filter for "clean traffic" of virtual machines. "Clean traffic" is a "learning" filter. Unfortunately, the filter learns the wrong IP address from the virtual machine, when zeroconf is enabled (IP-address: 169.254.x.y). As a workaround set a static IP address in the virtual machine / guest. An other alternative would be to manipulate the ebtables rules after the virtual machine is started by libvirt.