[libvirt] nwfilter - limit VM traffic to specific mac address

Stefan Berger stefanb at linux.vnet.ibm.com
Wed Nov 9 11:44:28 UTC 2011 

On 11/09/2011 04:01 AM, Shahar Havivi wrote:
> On 08.11.11 16:34, Stefan Berger wrote:
>> On 11/07/2011 04:25 AM, Shahar Havivi wrote:
>>> Hi,
>>>
>>> I want to limit VM traffic to a specific MAC address, ie VMs cannot
>>> traffic each other other then a specific gateway.
>>>
>>> I am using custom nwfilter name: isolatedprivatevlan-vdsm.xml
>>> located in /etc/libvirt/nwfilter/:
>>>
>>> <filter name='isolatedprivatevlan-vdsm' chain='root'>
>>>      <filterref filter='clean-traffic'/>
>>>      <rule action='drop' direction='out' priority='500'>
>>>          <mac match='no' dstmacaddr='$GATEWAY_MAC'/>
>>>      </rule>
>>> </filter>
>>>
>> Try this one -- it works in 'my' subnet:
>>
>> <filter name='isolatedprivatevlan-vdsm' chain='ipv4'>
>>      <filterref filter='clean-traffic'/>
>>      <rule action='drop' direction='out' priority='10'>
>>          <mac match='no' dstmacaddr='$GATEWAY_MAC'/>
>>      </rule>
>> </filter>
> Thanks,
> Now it is blocking the traffic but I can't get traffic to the gateway as
> well...
That's odd. Can you ping the gateway from the VM? Is it typically 
ping-able? Are you sure you specified the correct MAC addresses -- check 
with 'arp -n' on a host in the same subnet and see what it shows for the 
gateway (ping it if you don't see an entry).

     Stefan
>>
>>> VM1 domian xml portion:
>>> <interface type="bridge">
>>>      <mac address="00:1a:4a:16:01:53"/>
>>>      <model type="virtio"/>
>>>      <source bridge="red"/>
>>>      <filterref filter="isolatedprivatevlan-vdsm">
>>>          <parameter name="GATEWAY_MAC" value="00:00:0c:07:ac:00"/>
>>>      </filterref>
>>> </interface>
>>>
>>>
>>> VM2 domian xml portion:
>>> <interface type="bridge">
>>>      <mac address="00:1a:4a:16:01:52"/>
>>>      <model type="virtio"/>
>>>      <source bridge="red"/>
>>>      <filterref filter="isolatedprivatevlan-vdsm">
>>>          <parameter name="GATEWAY_MAC" value="00:00:0c:07:ac:00"/>
>>>      </filterref>
>>> </interface>
>>>
>>>
>>> in each VM (Fedora 15 LiveCD) I assign ip:
>>> # ifconfig eth0 10.35.1.240 netmask 255.255.254.0
>>> # route add default gw 10.35.1.1
>>>
>>> vm2:
>>> # ifconfig eth0 10.35.1.241 netmask 255.255.254.0
>>> # route add default gw 10.35.1.1
>>>
>>> but the filter is not working,
>>> I can ping the VMs from each other,
>>>
>>> Am I missing something?
>> Try the above filter that puts the check into a different 'chain'
>> into different order. I'll be introducing a 'mac' chain where this
>> can then be put into rather than into the 'ipv4' chain.
>> The challenging part about the filtering rules is their order and
>> the XML can unfortunately not abstract this 'away'.
>>
>>     Stefan
>>
>>
>>> Thanks,
>>> Shahar Havivi.
>>>
>>> --
>>> libvir-list mailing list
>>> libvir-list at redhat.com
>>> https://www.redhat.com/mailman/listinfo/libvir-list
>>>

More information about the libvir-list mailing list