[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] nwfilter - limit VM traffic to specific mac address



On 11/09/2011 09:38 AM, Shahar Havivi wrote:
On 09.11.11 09:20, Stefan Berger wrote:
On 11/09/2011 07:44 AM, Shahar Havivi wrote:
On 09.11.11 06:44, Stefan Berger wrote:
On 11/09/2011 04:01 AM, Shahar Havivi wrote:
On 08.11.11 16:34, Stefan Berger wrote:
On 11/07/2011 04:25 AM, Shahar Havivi wrote:
Hi,

I want to limit VM traffic to a specific MAC address, ie VMs cannot
traffic each other other then a specific gateway.

I am using custom nwfilter name: isolatedprivatevlan-vdsm.xml
located in /etc/libvirt/nwfilter/:

<filter name='isolatedprivatevlan-vdsm' chain='root'>
     <filterref filter='clean-traffic'/>
     <rule action='drop' direction='out' priority='500'>
         <mac match='no' dstmacaddr='$GATEWAY_MAC'/>
     </rule>
</filter>

Try this one -- it works in 'my' subnet:

<filter name='isolatedprivatevlan-vdsm' chain='ipv4'>
     <filterref filter='clean-traffic'/>
     <rule action='drop' direction='out' priority='10'>
         <mac match='no' dstmacaddr='$GATEWAY_MAC'/>
     </rule>
</filter>
Thanks,
Now it is blocking the traffic but I can't get traffic to the gateway as
well...
That's odd. Can you ping the gateway from the VM? Is it typically
ping-able? Are you sure you specified the correct MAC addresses --
check with 'arp -n' on a host in the same subnet and see what it
shows for the gateway (ping it if you don't see an entry).

     Stefan
It's working only when I remove the line
     <filterref filter='clean-traffic'/>
>from the filter...
While you ping the gateway, can you re-add the above line to the filter?

    Stefan
its working, even when stopping the ping and re-pinging the gateway,
but it stop working after I stop and started the VM.

How does the VM get its IP address, static or DHCP ? If DHCP, could you try a static IP address?

In case it doesn't work, what does 'ebtables -t nat -L' show and which IP address is assigned to the VM's interface?

   Stefan


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]