Shahar Havivi <shaharh@redhat.com> wrote on 06/20/2011 08:11:43 AM:
From: Shahar Havivi <shaharh@redhat.com> To: Stefan Berger/Watson/IBM@IBMUS Cc: libvirt-list@redhat.com Date: 06/20/2011 08:13 AM Subject: Re: nwfilter: limit VM traffic to specific MAC
On 20.06.11 08:02, Stefan Berger wrote:
Shahar Havivi <shaharh@redhat.com> wrote on 06/20/2011 07:39:35 AM:
From: Shahar Havivi <shaharh@redhat.com> To: libvirt-list@redhat.com Cc: Stefan Berger/Watson/IBM@IBMUS Date: 06/20/2011 07:42 AM Subject: nwfilter: limit VM traffic to specific MAC
Hi, I am trying to add custom filter to block VM traffic to other VMs by
limiting
the traffic only to the gateways MAC address. The filter XML:
<filter name='rhev' chain='root'> <uuid>cd4e5890-ccc9-1b0f-303f-e7fe7123646d</uuid> <filterref filter='allow-dhcp'/> <rule action='drop' direction='out' priority='500'> <mac match='no' dstmacaddr='$MAC'/> </rule> </filter>
The MAC is not the interface MAC address it's the gateways MAC that
parameter (I use the gateway address hardcoded as well).
The VM is getting DHCP ip but cannot get any traffic, I notice that when I edit (comment and uncomment) the drop rule,
pass as a thefilter is
working fine, ie no traffic other then the gateway.
1. Am I doing something wrong?
Try to put the concret MAC address of the gateway into the dstmacaddr field. $MAC is going to be translated to the MAC address of the interface. Once it works, try using $GATEWAY_MAC and have that defined via <parameter name='GATEWAY_MAC' value='a.b.c.d'/> from wherever you are referencing the 'rhev' filter.
The DHCP server must be running on the gateway. Thank you Stefan, Instead of adding 'allow-dhcp' filter, can I white list 2 mac addresses, the gateway and the dhcp server?
<rule action='drop' direction='out' priority='500'> <mac match='no' dstmacaddr='$GATEWAY_MAC'/> </rule> <rule action='drop' direction='out' priority='500'> <mac match='no' dstmacaddr='$DHCP_MAC'/> </rule>
Unfortunately that would not work. Stefan