[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] nwfilter - limit VM traffic to specific mac address



On 11/09/2011 04:01 AM, Shahar Havivi wrote:
On 08.11.11 16:34, Stefan Berger wrote:
On 11/07/2011 04:25 AM, Shahar Havivi wrote:
Hi,

I want to limit VM traffic to a specific MAC address, ie VMs cannot
traffic each other other then a specific gateway.

I am using custom nwfilter name: isolatedprivatevlan-vdsm.xml
located in /etc/libvirt/nwfilter/:

<filter name='isolatedprivatevlan-vdsm' chain='root'>
     <filterref filter='clean-traffic'/>
     <rule action='drop' direction='out' priority='500'>
         <mac match='no' dstmacaddr='$GATEWAY_MAC'/>
     </rule>
</filter>

Try this one -- it works in 'my' subnet:

<filter name='isolatedprivatevlan-vdsm' chain='ipv4'>
     <filterref filter='clean-traffic'/>
     <rule action='drop' direction='out' priority='10'>
         <mac match='no' dstmacaddr='$GATEWAY_MAC'/>
     </rule>
</filter>
Thanks,
Now it is blocking the traffic but I can't get traffic to the gateway as
well...
That's odd. Can you ping the gateway from the VM? Is it typically ping-able? Are you sure you specified the correct MAC addresses -- check with 'arp -n' on a host in the same subnet and see what it shows for the gateway (ping it if you don't see an entry).

    Stefan

VM1 domian xml portion:
<interface type="bridge">
     <mac address="00:1a:4a:16:01:53"/>
     <model type="virtio"/>
     <source bridge="red"/>
     <filterref filter="isolatedprivatevlan-vdsm">
         <parameter name="GATEWAY_MAC" value="00:00:0c:07:ac:00"/>
     </filterref>
</interface>


VM2 domian xml portion:
<interface type="bridge">
     <mac address="00:1a:4a:16:01:52"/>
     <model type="virtio"/>
     <source bridge="red"/>
     <filterref filter="isolatedprivatevlan-vdsm">
         <parameter name="GATEWAY_MAC" value="00:00:0c:07:ac:00"/>
     </filterref>
</interface>


in each VM (Fedora 15 LiveCD) I assign ip:
# ifconfig eth0 10.35.1.240 netmask 255.255.254.0
# route add default gw 10.35.1.1

vm2:
# ifconfig eth0 10.35.1.241 netmask 255.255.254.0
# route add default gw 10.35.1.1

but the filter is not working,
I can ping the VMs from each other,

Am I missing something?
Try the above filter that puts the check into a different 'chain'
into different order. I'll be introducing a 'mac' chain where this
can then be put into rather than into the 'ipv4' chain.
The challenging part about the filtering rules is their order and
the XML can unfortunately not abstract this 'away'.

    Stefan


Thanks,
Shahar Havivi.

--
libvir-list mailing list
libvir-list redhat com
https://www.redhat.com/mailman/listinfo/libvir-list



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]