This guide describes how to deploy Bridged networks. In this mode, the virtual machine traffic is directly bridged through the Linux bridge on the hypervisor Nodes. Bridged networks can operate in four different modes depending on the additional traffic filtering made by OpenNebula:
- Dummy Bridged, no filtering, no bridge setup (legacy no-op driver).
- Bridged, no filtering is made, managed bridge.
- Bridged with Security Groups, iptables rules are installed to implement security groups rules.
- Bridged with ebtables VLAN, same as above plus additional ebtables rules to provide L2 isolation for Virtual Networks.
Considerations & Limitations¶
The following needs to be considered regarding traffic isolation:
- In the Dummy Bridged, Bridged and Bridged with Security Groups modes you can add tagged network interfaces to achieve network isolation. This is the recommended deployment strategy in production environments in this mode.
- The Bridged with ebtables VLAN mode is targeted to small environments without proper hardware support to implement VLANs. Note that it is limited to
/24networks and that IP addresses cannot overlap between Virtual Networks. This mode is only recommended for testing purposes.
The following configuration parameters can be adjusted in
||Maximum number of entries in the IP set (used for the security group rules)|
||(Hash) Options passed to
Remember to run
onehost sync -f to synchonize the changes to all the Nodes.
Defining Bridged Network¶
To create a Virtual Network, include the following information in the template:
||Name of the Linux bridge on the Nodes||NO (unless
||Name of the physical network device that will be attached to the bridge
(does not apply for
For example, you can define a Bridged with Security Groups type network with the following template:
NAME = "private1" VN_MAD = "fw"
Bridged and ebtables VLAN¶
ebtables program on the Node will set up tables of rules (at Linux kernel level) to inspect the Ethernet frames. Running the command
ebtables -L on the Node will display rules similiar to the ones shown here:
Bridge table: filter Bridge chain: INPUT, entries: 0, policy: ACCEPT Bridge chain: FORWARD, entries: 2, policy: ACCEPT # Drop packets that don't match the network's MAC Address -s ! <mac_address>/ff:ff:ff:ff:ff:0 -o <tap_device> -j DROP # Prevent MAC spoofing -s ! <mac_address> -i <tap_device> -j DROP Bridge chain: OUTPUT, entries: 0, policy: ACCEPT