Re: [libvirt] nwfilter - limit VM traffic to specific mac address

On 11/09/2011 04:01 AM, Shahar Havivi wrote: >On 08.11.11 16:34, Stefan Berger wrote: >>On 11/07/2011 04:25 AM, Shahar Havivi wrote: >>>Hi, >>> >>>I want to limit VM traffic to a specific MAC address, ie VMs cannot >>>traffic each other other then a specific gateway. >>> >>>I am using custom nwfilter name: isolatedprivatevlan-vdsm.xml >>>located in /etc/libvirt/nwfilter/: >>> >>><filter name='isolatedprivatevlan-vdsm' chain='root'> >>> <filterref filter='clean-traffic'/> >>> <rule action='drop' direction='out' priority='500'> >>> <mac match='no' dstmacaddr='$GATEWAY_MAC'/> >>> </rule> >>></filter> >>> >>Try this one -- it works in 'my' subnet: >> >><filter name='isolatedprivatevlan-vdsm' chain='ipv4'> >> <filterref filter='clean-traffic'/> >> <rule action='drop' direction='out' priority='10'> >> <mac match='no' dstmacaddr='$GATEWAY_MAC'/> >> </rule> >></filter> >Thanks, >Now it is blocking the traffic but I can't get traffic to the gateway as >well... That's odd. Can you ping the gateway from the VM? Is it typically ping-able? Are you sure you specified the correct MAC addresses -- check with 'arp -n' on a host in the same subnet and see what it shows for the gateway (ping it if you don't see an entry). Stefan

>>>VM1 domian xml portion: >>><interface type="bridge"> >>> <mac address="00:1a:4a:16:01:53"/> >>> <model type="virtio"/> >>> <source bridge="red"/> >>> <filterref filter="isolatedprivatevlan-vdsm"> >>> <parameter name="GATEWAY_MAC" value="00:00:0c:07:ac:00"/> >>> </filterref> >>></interface> >>> >>> >>>VM2 domian xml portion: >>><interface type="bridge"> >>> <mac address="00:1a:4a:16:01:52"/> >>> <model type="virtio"/> >>> <source bridge="red"/> >>> <filterref filter="isolatedprivatevlan-vdsm"> >>> <parameter name="GATEWAY_MAC" value="00:00:0c:07:ac:00"/> >>> </filterref> >>></interface> >>> >>> >>>in each VM (Fedora 15 LiveCD) I assign ip: >>># ifconfig eth0 10.35.1.240 netmask 255.255.254.0 >>># route add default gw 10.35.1.1 >>> >>>vm2: >>># ifconfig eth0 10.35.1.241 netmask 255.255.254.0 >>># route add default gw 10.35.1.1 >>> >>>but the filter is not working, >>>I can ping the VMs from each other, >>> >>>Am I missing something? >>Try the above filter that puts the check into a different 'chain' >>into different order. I'll be introducing a 'mac' chain where this >>can then be put into rather than into the 'ipv4' chain. >>The challenging part about the filtering rules is their order and >>the XML can unfortunately not abstract this 'away'. >> >> Stefan >> >> >>>Thanks, >>>Shahar Havivi. >>> >>>-- >>>libvir-list mailing list &gt;&gt;&gt;libvir-list(a)redhat.com >>>https://www.redhat.com/mailman/listinfo/libvir-list >>>