Re: [libvirt] nwfilter - limit VM traffic to specific mac address
On 09.11.11 10:49, Stefan Berger wrote:
On 11/09/2011 09:38 AM, Shahar Havivi wrote:
>On 09.11.11 09:20, Stefan Berger wrote:
>>On 11/09/2011 07:44 AM, Shahar Havivi wrote:
>>>On 09.11.11 06:44, Stefan Berger wrote:
>>>>On 11/09/2011 04:01 AM, Shahar Havivi wrote:
>>>>>On 08.11.11 16:34, Stefan Berger wrote:
>>>>>>On 11/07/2011 04:25 AM, Shahar Havivi wrote:
>>>>>>>Hi,
>>>>>>>
>>>>>>>I want to limit VM traffic to a specific MAC address, ie VMs
cannot
>>>>>>>traffic each other other then a specific gateway.
>>>>>>>
>>>>>>>I am using custom nwfilter name:
isolatedprivatevlan-vdsm.xml
>>>>>>>located in /etc/libvirt/nwfilter/:
>>>>>>>
>>>>>>><filter name='isolatedprivatevlan-vdsm'
chain='root'>
>>>>>>> <filterref filter='clean-traffic'/>
>>>>>>> <rule action='drop' direction='out'
priority='500'>
>>>>>>> <mac match='no'
dstmacaddr='$GATEWAY_MAC'/>
>>>>>>> </rule>
>>>>>>></filter>
>>>>>>>
>>>>>>Try this one -- it works in 'my' subnet:
>>>>>>
>>>>>><filter name='isolatedprivatevlan-vdsm'
chain='ipv4'>
>>>>>> <filterref filter='clean-traffic'/>
>>>>>> <rule action='drop' direction='out'
priority='10'>
>>>>>> <mac match='no'
dstmacaddr='$GATEWAY_MAC'/>
>>>>>> </rule>
>>>>>></filter>
>>>>>Thanks,
>>>>>Now it is blocking the traffic but I can't get traffic to the
gateway as
>>>>>well...
>>>>That's odd. Can you ping the gateway from the VM? Is it typically
>>>>ping-able? Are you sure you specified the correct MAC addresses --
>>>>check with 'arp -n' on a host in the same subnet and see what it
>>>>shows for the gateway (ping it if you don't see an entry).
>>>>
>>>> Stefan
>>>It's working only when I remove the line
>>> <filterref filter='clean-traffic'/>
>>>from the filter...
>>While you ping the gateway, can you re-add the above line to the filter?
>>
>> Stefan
>its working, even when stopping the ping and re-pinging the gateway,
>but it stop working after I stop and started the VM.
>
How does the VM get its IP address, static or DHCP ? If DHCP, could
you try a static IP address?
In case it doesn't work, what does 'ebtables -t nat -L' show and
which IP address is assigned to the VM's interface?
Stefan
static ip, the ebtables output show ip 0.0.0.0 for the VM mac address:
Bridge chain: I-vnet0-rarp, entries: 2, policy: ACCEPT
-p 0x8035 -s 0:1a:4a:16:1:52 -d Broadcast --arp-op Request_Reverse
--arp-ip-src 0.0.0.0 --arp-ip-dst 0.0.0.0 --arp-mac-src 0:1a:4a:16:1:52
--arp-mac-dst 0:1a:4a:16:1:52 -j ACCEPT
-j DROP
Bridge chain: O-vnet0-rarp, entries: 2, policy: ACCEPT
-p 0x8035 -d Broadcast --arp-op Request_Reverse --arp-ip-src 0.0.0.0
--arp-ip-dst 0.0.0.0 --arp-mac-src 0:1a:4a:16:1:52 --arp-mac-dst
0:1a:4a:16:1:52 -j ACCEPT
-j DROP
How can I set the IP in the case?