Re: [libvirt] nwfilter: limit VM traffic to specific MAC
Shahar Havivi <shaharh(a)redhat.com> wrote on 06/20/2011 08:11:43 AM:
From: Shahar Havivi <shaharh(a)redhat.com>
To: Stefan Berger/Watson/IBM@IBMUS
Cc: libvirt-list(a)redhat.com
Date: 06/20/2011 08:13 AM
Subject: Re: nwfilter: limit VM traffic to specific MAC
On 20.06.11 08:02, Stefan Berger wrote:
> Shahar Havivi <shaharh(a)redhat.com> wrote on 06/20/2011 07:39:35 AM:
>
> > From: Shahar Havivi <shaharh(a)redhat.com>
> > To: libvirt-list(a)redhat.com
> > Cc: Stefan Berger/Watson/IBM@IBMUS
> > Date: 06/20/2011 07:42 AM
> > Subject: nwfilter: limit VM traffic to specific MAC
> >
> > Hi,
> > I am trying to add custom filter to block VM traffic to other VMs by
> limiting
> > the traffic only to the gateways MAC address.
> > The filter XML:
> >
> > <filter name='rhev' chain='root'>
> > <uuid>cd4e5890-ccc9-1b0f-303f-e7fe7123646d</uuid>
> > <filterref filter='allow-dhcp'/>
> > <rule action='drop' direction='out'
priority='500'>
> > <mac match='no' dstmacaddr='$MAC'/>
> > </rule>
> > </filter>
>
> >
> > The MAC is not the interface MAC address it's the gateways MAC that
pass
> as a
> > parameter (I use the gateway address hardcoded as well).
> >
> > The VM is getting DHCP ip but cannot get any traffic,
> > I notice that when I edit (comment and uncomment) the drop rule,
> thefilter is
> > working fine, ie no traffic other then the gateway.
> >
> > 1. Am I doing something wrong?
>
> Try to put the concret MAC address of the gateway into the dstmacaddr
> field. $MAC is going to be translated to the MAC address of the
interface.
> Once it works, try using $GATEWAY_MAC and have that defined via
<parameter
> name='GATEWAY_MAC' value='a.b.c.d'/> from
wherever you are referencing
the
> 'rhev' filter.
>
> The DHCP server must be running on the gateway.
Thank you Stefan,
Instead of adding 'allow-dhcp' filter, can I white list 2 mac addresses,
the gateway and the dhcp server?
<rule action='drop' direction='out' priority='500'>
<mac match='no' dstmacaddr='$GATEWAY_MAC'/>
</rule>
<rule action='drop' direction='out' priority='500'>
<mac match='no' dstmacaddr='$DHCP_MAC'/>
</rule>
Unfortunately that would not work.
Stefan
Attachments:
- attachment.html (text/html — 3.3 KB)