Re: [libvirt] nwfilter - limit VM traffic to specific mac address

On 09.11.11 10:49, Stefan Berger wrote: > On 11/09/2011 09:38 AM, Shahar Havivi wrote: > >On 09.11.11 09:20, Stefan Berger wrote: > >>On 11/09/2011 07:44 AM, Shahar Havivi wrote: > >>>On 09.11.11 06:44, Stefan Berger wrote: > >>>>On 11/09/2011 04:01 AM, Shahar Havivi wrote: > >>>>>On 08.11.11 16:34, Stefan Berger wrote: > >>>>>>On 11/07/2011 04:25 AM, Shahar Havivi wrote: > >>>>>>>Hi, > >>>>>>> > >>>>>>>I want to limit VM traffic to a specific MAC address, ie VMs cannot > >>>>>>>traffic each other other then a specific gateway. > >>>>>>> > >>>>>>>I am using custom nwfilter name: isolatedprivatevlan-vdsm.xml > >>>>>>>located in /etc/libvirt/nwfilter/: > >>>>>>> > >>>>>>><filter name='isolatedprivatevlan-vdsm' chain='root'> > >>>>>>> <filterref filter='clean-traffic'/> > >>>>>>> <rule action='drop' direction='out' priority='500'> > >>>>>>> <mac match='no' dstmacaddr='$GATEWAY_MAC'/> > >>>>>>> </rule> > >>>>>>></filter> > >>>>>>> > >>>>>>Try this one -- it works in 'my' subnet: > >>>>>> > >>>>>><filter name='isolatedprivatevlan-vdsm' chain='ipv4'> > >>>>>> <filterref filter='clean-traffic'/> > >>>>>> <rule action='drop' direction='out' priority='10'> > >>>>>> <mac match='no' dstmacaddr='$GATEWAY_MAC'/> > >>>>>> </rule> > >>>>>></filter> > >>>>>Thanks, > >>>>>Now it is blocking the traffic but I can't get traffic to the gateway as > >>>>>well... > >>>>That's odd. Can you ping the gateway from the VM? Is it typically > >>>>ping-able? Are you sure you specified the correct MAC addresses -- > >>>>check with 'arp -n' on a host in the same subnet and see what it > >>>>shows for the gateway (ping it if you don't see an entry). > >>>> > >>>> Stefan > >>>It's working only when I remove the line > >>> <filterref filter='clean-traffic'/> > >>>from the filter... > >>While you ping the gateway, can you re-add the above line to the filter? > >> > >> Stefan > >its working, even when stopping the ping and re-pinging the gateway, > >but it stop working after I stop and started the VM. > > > How does the VM get its IP address, static or DHCP ? If DHCP, could > you try a static IP address? > > In case it doesn't work, what does 'ebtables -t nat -L' show and > which IP address is assigned to the VM's interface? > > Stefan static ip, the ebtables output show ip 0.0.0.0 for the VM mac address: Bridge chain: I-vnet0-rarp, entries: 2, policy: ACCEPT -p 0x8035 -s 0:1a:4a:16:1:52 -d Broadcast --arp-op Request_Reverse --arp-ip-src 0.0.0.0 --arp-ip-dst 0.0.0.0 --arp-mac-src 0:1a:4a:16:1:52 --arp-mac-dst 0:1a:4a:16:1:52 -j ACCEPT -j DROP Bridge chain: O-vnet0-rarp, entries: 2, policy: ACCEPT -p 0x8035 -d Broadcast --arp-op Request_Reverse --arp-ip-src 0.0.0.0 --arp-ip-dst 0.0.0.0 --arp-mac-src 0:1a:4a:16:1:52 --arp-mac-dst 0:1a:4a:16:1:52 -j ACCEPT -j DROP How can I set the IP in the case?

> -- libvir-list mailing list libvir-list(a)redhat.com https://www.redhat.com/mailman/listinfo/libvir-list