From: Shahar Havivi <shaharh@redhat.com> To: libvirt-list@redhat.com Cc: Stefan Berger/Watson/IBM@IBMUS Date: 06/20/2011 07:42 AM Subject: nwfilter: limit VM traffic to specific MAC
Hi, I am trying to add custom filter to block VM traffic to other VMs by
Shahar Havivi <shaharh@redhat.com> wrote on 06/20/2011 07:39:35 AM: limiting
the traffic only to the gateways MAC address. The filter XML:
<filter name='rhev' chain='root'> <uuid>cd4e5890-ccc9-1b0f-303f-e7fe7123646d</uuid> <filterref filter='allow-dhcp'/> <rule action='drop' direction='out' priority='500'> <mac match='no' dstmacaddr='$MAC'/> </rule> </filter>
The MAC is not the interface MAC address it's the gateways MAC that pass
parameter (I use the gateway address hardcoded as well).
The VM is getting DHCP ip but cannot get any traffic, I notice that when I edit (comment and uncomment) the drop rule,
as a thefilter is
working fine, ie no traffic other then the gateway.
1. Am I doing something wrong?
Try to put the concret MAC address of the gateway into the dstmacaddr field. $MAC is going to be translated to the MAC address of the interface. Once it works, try using $GATEWAY_MAC and have that defined via <parameter name='GATEWAY_MAC' value='a.b.c.d'/> from wherever you are referencing the 'rhev' filter. The DHCP server must be running on the gateway.
1. What is the table name that libvirt use for ebtables?
It's the 'nat' table : 'ebtables -t nat -L' shows you the resulting rules. Stefan
Shahar.