[libvirt] nwfilter - limit VM traffic to specific mac address

Shahar Havivi shaharh at redhat.com
Thu Nov 10 09:30:25 UTC 2011 

On 09.11.11 10:49, Stefan Berger wrote:
> On 11/09/2011 09:38 AM, Shahar Havivi wrote:
> >On 09.11.11 09:20, Stefan Berger wrote:
> >>On 11/09/2011 07:44 AM, Shahar Havivi wrote:
> >>>On 09.11.11 06:44, Stefan Berger wrote:
> >>>>On 11/09/2011 04:01 AM, Shahar Havivi wrote:
> >>>>>On 08.11.11 16:34, Stefan Berger wrote:
> >>>>>>On 11/07/2011 04:25 AM, Shahar Havivi wrote:
> >>>>>>>Hi,
> >>>>>>>
> >>>>>>>I want to limit VM traffic to a specific MAC address, ie VMs cannot
> >>>>>>>traffic each other other then a specific gateway.
> >>>>>>>
> >>>>>>>I am using custom nwfilter name: isolatedprivatevlan-vdsm.xml
> >>>>>>>located in /etc/libvirt/nwfilter/:
> >>>>>>>
> >>>>>>><filter name='isolatedprivatevlan-vdsm' chain='root'>
> >>>>>>>     <filterref filter='clean-traffic'/>
> >>>>>>>     <rule action='drop' direction='out' priority='500'>
> >>>>>>>         <mac match='no' dstmacaddr='$GATEWAY_MAC'/>
> >>>>>>>     </rule>
> >>>>>>></filter>
> >>>>>>>
> >>>>>>Try this one -- it works in 'my' subnet:
> >>>>>>
> >>>>>><filter name='isolatedprivatevlan-vdsm' chain='ipv4'>
> >>>>>>     <filterref filter='clean-traffic'/>
> >>>>>>     <rule action='drop' direction='out' priority='10'>
> >>>>>>         <mac match='no' dstmacaddr='$GATEWAY_MAC'/>
> >>>>>>     </rule>
> >>>>>></filter>
> >>>>>Thanks,
> >>>>>Now it is blocking the traffic but I can't get traffic to the gateway as
> >>>>>well...
> >>>>That's odd. Can you ping the gateway from the VM? Is it typically
> >>>>ping-able? Are you sure you specified the correct MAC addresses --
> >>>>check with 'arp -n' on a host in the same subnet and see what it
> >>>>shows for the gateway (ping it if you don't see an entry).
> >>>>
> >>>>     Stefan
> >>>It's working only when I remove the line
> >>>     <filterref filter='clean-traffic'/>
> >>>from the filter...
> >>While you ping the gateway, can you re-add the above line to the filter?
> >>
> >>    Stefan
> >its working, even when stopping the ping and re-pinging the gateway,
> >but it stop working after I stop and started the VM.
> >
> How does the VM get its IP address, static or DHCP ? If DHCP, could
> you try a static IP address?
> 
> In case it doesn't work, what does 'ebtables -t nat -L' show and
> which IP address is assigned to the VM's interface?
> 
>    Stefan
static ip, the ebtables output show ip 0.0.0.0 for the VM mac address:

Bridge chain: I-vnet0-rarp, entries: 2, policy: ACCEPT
-p 0x8035 -s 0:1a:4a:16:1:52 -d Broadcast --arp-op Request_Reverse
--arp-ip-src 0.0.0.0 --arp-ip-dst 0.0.0.0 --arp-mac-src 0:1a:4a:16:1:52
--arp-mac-dst 0:1a:4a:16:1:52 -j ACCEPT
-j DROP

Bridge chain: O-vnet0-rarp, entries: 2, policy: ACCEPT
-p 0x8035 -d Broadcast --arp-op Request_Reverse --arp-ip-src 0.0.0.0
--arp-ip-dst 0.0.0.0 --arp-mac-src 0:1a:4a:16:1:52 --arp-mac-dst
0:1a:4a:16:1:52 -j ACCEPT 
-j DROP


How can I set the IP in the case?
>

More information about the libvir-list mailing list