Re: [libvirt] nwfilter - limit VM traffic to specific mac address
On 11/09/2011 04:01 AM, Shahar Havivi wrote:
On 08.11.11 16:34, Stefan Berger wrote:
> On 11/07/2011 04:25 AM, Shahar Havivi wrote:
>> Hi,
>>
>> I want to limit VM traffic to a specific MAC address, ie VMs cannot
>> traffic each other other then a specific gateway.
>>
>> I am using custom nwfilter name: isolatedprivatevlan-vdsm.xml
>> located in /etc/libvirt/nwfilter/:
>>
>> <filter name='isolatedprivatevlan-vdsm' chain='root'>
>> <filterref filter='clean-traffic'/>
>> <rule action='drop' direction='out'
priority='500'>
>> <mac match='no' dstmacaddr='$GATEWAY_MAC'/>
>> </rule>
>> </filter>
>>
> Try this one -- it works in 'my' subnet:
>
> <filter name='isolatedprivatevlan-vdsm' chain='ipv4'>
> <filterref filter='clean-traffic'/>
> <rule action='drop' direction='out'
priority='10'>
> <mac match='no' dstmacaddr='$GATEWAY_MAC'/>
> </rule>
> </filter>
Thanks,
Now it is blocking the traffic but I can't get traffic to the gateway as
well...
That's odd. Can you ping the gateway from the VM? Is it typically
ping-able? Are you sure you specified the correct MAC addresses -- check
with 'arp -n' on a host in the same subnet and see what it shows for the
gateway (ping it if you don't see an entry).
Stefan
>
>> VM1 domian xml portion:
>> <interface type="bridge">
>> <mac address="00:1a:4a:16:01:53"/>
>> <model type="virtio"/>
>> <source bridge="red"/>
>> <filterref filter="isolatedprivatevlan-vdsm">
>> <parameter name="GATEWAY_MAC"
value="00:00:0c:07:ac:00"/>
>> </filterref>
>> </interface>
>>
>>
>> VM2 domian xml portion:
>> <interface type="bridge">
>> <mac address="00:1a:4a:16:01:52"/>
>> <model type="virtio"/>
>> <source bridge="red"/>
>> <filterref filter="isolatedprivatevlan-vdsm">
>> <parameter name="GATEWAY_MAC"
value="00:00:0c:07:ac:00"/>
>> </filterref>
>> </interface>
>>
>>
>> in each VM (Fedora 15 LiveCD) I assign ip:
>> # ifconfig eth0 10.35.1.240 netmask 255.255.254.0
>> # route add default gw 10.35.1.1
>>
>> vm2:
>> # ifconfig eth0 10.35.1.241 netmask 255.255.254.0
>> # route add default gw 10.35.1.1
>>
>> but the filter is not working,
>> I can ping the VMs from each other,
>>
>> Am I missing something?
> Try the above filter that puts the check into a different 'chain'
> into different order. I'll be introducing a 'mac' chain where this
> can then be put into rather than into the 'ipv4' chain.
> The challenging part about the filtering rules is their order and
> the XML can unfortunately not abstract this 'away'.
>
> Stefan
>
>
>> Thanks,
>> Shahar Havivi.
>>
>> --
>> libvir-list mailing list
>> libvir-list(a)redhat.com
>> https://www.redhat.com/mailman/listinfo/libvir-list
>>