[libvirt] nwfilter - limit VM traffic to specific mac address
Shahar Havivi
shaharh at redhat.com
Wed Nov 9 14:38:28 UTC 2011
On 09.11.11 09:20, Stefan Berger wrote:
> On 11/09/2011 07:44 AM, Shahar Havivi wrote:
> >On 09.11.11 06:44, Stefan Berger wrote:
> >>On 11/09/2011 04:01 AM, Shahar Havivi wrote:
> >>>On 08.11.11 16:34, Stefan Berger wrote:
> >>>>On 11/07/2011 04:25 AM, Shahar Havivi wrote:
> >>>>>Hi,
> >>>>>
> >>>>>I want to limit VM traffic to a specific MAC address, ie VMs cannot
> >>>>>traffic each other other then a specific gateway.
> >>>>>
> >>>>>I am using custom nwfilter name: isolatedprivatevlan-vdsm.xml
> >>>>>located in /etc/libvirt/nwfilter/:
> >>>>>
> >>>>><filter name='isolatedprivatevlan-vdsm' chain='root'>
> >>>>> <filterref filter='clean-traffic'/>
> >>>>> <rule action='drop' direction='out' priority='500'>
> >>>>> <mac match='no' dstmacaddr='$GATEWAY_MAC'/>
> >>>>> </rule>
> >>>>></filter>
> >>>>>
> >>>>Try this one -- it works in 'my' subnet:
> >>>>
> >>>><filter name='isolatedprivatevlan-vdsm' chain='ipv4'>
> >>>> <filterref filter='clean-traffic'/>
> >>>> <rule action='drop' direction='out' priority='10'>
> >>>> <mac match='no' dstmacaddr='$GATEWAY_MAC'/>
> >>>> </rule>
> >>>></filter>
> >>>Thanks,
> >>>Now it is blocking the traffic but I can't get traffic to the gateway as
> >>>well...
> >>That's odd. Can you ping the gateway from the VM? Is it typically
> >>ping-able? Are you sure you specified the correct MAC addresses --
> >>check with 'arp -n' on a host in the same subnet and see what it
> >>shows for the gateway (ping it if you don't see an entry).
> >>
> >> Stefan
> >It's working only when I remove the line
> > <filterref filter='clean-traffic'/>
> >from the filter...
> >
> While you ping the gateway, can you re-add the above line to the filter?
>
> Stefan
its working, even when stopping the ping and re-pinging the gateway,
but it stop working after I stop and started the VM.
More information about the libvir-list
mailing list