Re: [libvirt] nwfilter: limit VM traffic to specific MAC
Shahar Havivi <shaharh(a)redhat.com> wrote on 06/20/2011 07:39:35 AM:
From: Shahar Havivi <shaharh(a)redhat.com>
To: libvirt-list(a)redhat.com
Cc: Stefan Berger/Watson/IBM@IBMUS
Date: 06/20/2011 07:42 AM
Subject: nwfilter: limit VM traffic to specific MAC
Hi,
I am trying to add custom filter to block VM traffic to other VMs by
limiting
the traffic only to the gateways MAC address.
The filter XML:
<filter name='rhev' chain='root'>
<uuid>cd4e5890-ccc9-1b0f-303f-e7fe7123646d</uuid>
<filterref filter='allow-dhcp'/>
<rule action='drop' direction='out' priority='500'>
<mac match='no' dstmacaddr='$MAC'/>
</rule>
</filter>
The MAC is not the interface MAC address it's the gateways MAC that pass
as a
parameter (I use the gateway address hardcoded as well).
The VM is getting DHCP ip but cannot get any traffic,
I notice that when I edit (comment and uncomment) the drop rule,
thefilter is
working fine, ie no traffic other then the gateway.
1. Am I doing something wrong?
Try to put the concret MAC address of the gateway into the dstmacaddr
field. $MAC is going to be translated to the MAC address of the interface.
Once it works, try using $GATEWAY_MAC and have that defined via <parameter
name='GATEWAY_MAC' value='a.b.c.d'/> from wherever you are referencing
the
'rhev' filter.
The DHCP server must be running on the gateway.
1. What is the table name that libvirt use for ebtables?
It's the 'nat' table : 'ebtables -t nat -L' shows you the resulting
rules.
Stefan
Shahar.
Attachments:
- attachment.html (text/html — 2.3 KB)