On 10.11.11 06:25, Stefan Berger wrote:
On 11/10/2011 05:21 AM, Shahar Havivi wrote:
>On 10.11.11 11:30, Shahar Havivi wrote:
>>On 09.11.11 10:49, Stefan Berger wrote:
>>>On 11/09/2011 09:38 AM, Shahar Havivi wrote:
>>>>On 09.11.11 09:20, Stefan Berger wrote:
>>>>>On 11/09/2011 07:44 AM, Shahar Havivi wrote:
>>>>>>On 09.11.11 06:44, Stefan Berger wrote:
>>>>>>>On 11/09/2011 04:01 AM, Shahar Havivi wrote:
>>>>>>>>On 08.11.11 16:34, Stefan Berger wrote:
>>>>>>>>>On 11/07/2011 04:25 AM, Shahar Havivi wrote:
>>>>>>>>>>Hi,
>>>>>>>>>>
>>>>>>>>>>I want to limit VM traffic to a specific MAC
address, ie VMs cannot
>>>>>>>>>>traffic each other other then a specific
gateway.
>>>>>>>>>>
>>>>>>>>>>I am using custom nwfilter name:
isolatedprivatevlan-vdsm.xml
>>>>>>>>>>located in /etc/libvirt/nwfilter/:
>>>>>>>>>>
>>>>>>>>>><filter
name='isolatedprivatevlan-vdsm' chain='root'>
>>>>>>>>>> <filterref
filter='clean-traffic'/>
>>>>>>>>>> <rule action='drop'
direction='out' priority='500'>
>>>>>>>>>> <mac match='no'
dstmacaddr='$GATEWAY_MAC'/>
>>>>>>>>>> </rule>
>>>>>>>>>></filter>
>>>>>>>>>>
>>>>>>>>>Try this one -- it works in 'my' subnet:
>>>>>>>>>
>>>>>>>>><filter name='isolatedprivatevlan-vdsm'
chain='ipv4'>
>>>>>>>>> <filterref
filter='clean-traffic'/>
>>>>>>>>> <rule action='drop'
direction='out' priority='10'>
>>>>>>>>> <mac match='no'
dstmacaddr='$GATEWAY_MAC'/>
>>>>>>>>> </rule>
>>>>>>>>></filter>
>>>>>>>>Thanks,
>>>>>>>>Now it is blocking the traffic but I can't get
traffic to the gateway as
>>>>>>>>well...
>>>>>>>That's odd. Can you ping the gateway from the VM? Is it
typically
>>>>>>>ping-able? Are you sure you specified the correct MAC
addresses --
>>>>>>>check with 'arp -n' on a host in the same subnet and
see what it
>>>>>>>shows for the gateway (ping it if you don't see an
entry).
>>>>>>>
>>>>>>> Stefan
>>>>>>It's working only when I remove the line
>>>>>> <filterref filter='clean-traffic'/>
>>>>>>from the filter...
>>>>>While you ping the gateway, can you re-add the above line to the
filter?
>>>>>
>>>>> Stefan
>>>>its working, even when stopping the ping and re-pinging the gateway,
>>>>but it stop working after I stop and started the VM.
>>>>
>>>How does the VM get its IP address, static or DHCP ? If DHCP, could
>>>you try a static IP address?
>>>
>>>In case it doesn't work, what does 'ebtables -t nat -L' show and
>>>which IP address is assigned to the VM's interface?
>>>
>>> Stefan
>>static ip, the ebtables output show ip 0.0.0.0 for the VM mac address:
>>
>>Bridge chain: I-vnet0-rarp, entries: 2, policy: ACCEPT
>>-p 0x8035 -s 0:1a:4a:16:1:52 -d Broadcast --arp-op Request_Reverse
>>--arp-ip-src 0.0.0.0 --arp-ip-dst 0.0.0.0 --arp-mac-src 0:1a:4a:16:1:52
>>--arp-mac-dst 0:1a:4a:16:1:52 -j ACCEPT
>>-j DROP
>>
>>Bridge chain: O-vnet0-rarp, entries: 2, policy: ACCEPT
>>-p 0x8035 -d Broadcast --arp-op Request_Reverse --arp-ip-src 0.0.0.0
>>--arp-ip-dst 0.0.0.0 --arp-mac-src 0:1a:4a:16:1:52 --arp-mac-dst
>>0:1a:4a:16:1:52 -j ACCEPT
>>-j DROP
>>
>>
>>How can I set the IP in the case?
>Ok,
>its working when I set the IP in the filter:
><filterref filter='clean-traffic'>
> <parameter name='IP' value='10.35.16.50'/>
></filterref>
>
>I guess its the only solution...?
The IP address in the parameter XML node has to match the one
assigned to the interface inside the VM. If they don't match nothing
works. If you leave out the line '<parameter name=.../>' then this
will start libvirt's IP address learning/detection that will lock
your VM into the first IP address it detects that the VM is using on
a particular interface. This should also work.
Stefan
Thank you Stefan
>>--
>>libvir-list mailing list
>>libvir-list(a)redhat.com
>>https://www.redhat.com/mailman/listinfo/libvir-list