Re: [libvirt] nwfilter - limit VM traffic to specific mac address

On 11/09/2011 07:44 AM, Shahar Havivi wrote: >On 09.11.11 06:44, Stefan Berger wrote: >>On 11/09/2011 04:01 AM, Shahar Havivi wrote: >>>On 08.11.11 16:34, Stefan Berger wrote: >>>>On 11/07/2011 04:25 AM, Shahar Havivi wrote: >>>>>Hi, >>>>> >>>>>I want to limit VM traffic to a specific MAC address, ie VMs cannot >>>>>traffic each other other then a specific gateway. >>>>> >>>>>I am using custom nwfilter name: isolatedprivatevlan-vdsm.xml >>>>>located in /etc/libvirt/nwfilter/: >>>>> >>>>><filter name='isolatedprivatevlan-vdsm' chain='root'> >>>>> <filterref filter='clean-traffic'/> >>>>> <rule action='drop' direction='out' priority='500'> >>>>> <mac match='no' dstmacaddr='$GATEWAY_MAC'/> >>>>> </rule> >>>>></filter> >>>>> >>>>Try this one -- it works in 'my' subnet: >>>> >>>><filter name='isolatedprivatevlan-vdsm' chain='ipv4'> >>>> <filterref filter='clean-traffic'/> >>>> <rule action='drop' direction='out' priority='10'> >>>> <mac match='no' dstmacaddr='$GATEWAY_MAC'/> >>>> </rule> >>>></filter> >>>Thanks, >>>Now it is blocking the traffic but I can't get traffic to the gateway as >>>well... >>That's odd. Can you ping the gateway from the VM? Is it typically >>ping-able? Are you sure you specified the correct MAC addresses -- >>check with 'arp -n' on a host in the same subnet and see what it >>shows for the gateway (ping it if you don't see an entry). >> >> Stefan >It's working only when I remove the line > <filterref filter='clean-traffic'/> >from the filter... > While you ping the gateway, can you re-add the above line to the filter? Stefan