One way to do this is to place a tiny VM (static kernel+very small
initramfs [uClibc+busybox+iptables+dnsmasq]) between VM clusters and the
host, rather than giving the host an IP on each cluster's bridge
directly. The tool that launches it (via libvirt) appends extra files to
the initramfs giving iptables rules to be run. I use this "virtual
router" to NETMAP multiple clouds of VMs which all think they're using
the same network space (say, 192.168.0.0/24) onto different subnets
(say, 192.168.1.x and 192.168.2.x for the first two clusters), but also
have added support for redirecting connections intended for specific
targets to elsewhere, overriding DNS results for specific hosts, and
other miscellaneous utility functions.
Using a separate VM rather than iptables rules on the host was necessary
in my use case because doing symmetrical NETMAP properly requires
packets from the host to the clients to pass through the PREROUTING
table -- which packets generated within a given host don't do.
If anyone (libvirt/oVirt/whomever) is interested in incorporating this
into their project (even as an entry in a contrib repository), let me
know; I can't distribute binaries without going through some pain and
suffering (setting up a SKU with my employer to ship a CD with sources
to the kernel and the GPLed components of the initrd), but providing it
in source form as a minor patch to someone else's project (and this *is*
actually implemented in very little code -- a mixture of Python and
busybox-friendly shell scripts totaling under 500 lines, so the "minor"
label applies) should be clear sailing.
--
Libvir-list mailing list
Libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list