On 09.11.11 09:20, Stefan Berger wrote:
On 11/09/2011 07:44 AM, Shahar Havivi wrote:
On 09.11.11 06:44, Stefan Berger wrote:
On 08.11.11 16:34, Stefan Berger wrote:
On 11/07/2011 04:25 AM, Shahar Havivi wrote:
Hi,
I want to limit VM traffic to a specific MAC address, ie VMs cannot traffic each other other then a specific gateway.
I am using custom nwfilter name: isolatedprivatevlan-vdsm.xml located in /etc/libvirt/nwfilter/:
<filter name='isolatedprivatevlan-vdsm' chain='root'> <filterref filter='clean-traffic'/> <rule action='drop' direction='out' priority='500'> <mac match='no' dstmacaddr='$GATEWAY_MAC'/> </rule> </filter>
Try this one -- it works in 'my' subnet:
<filter name='isolatedprivatevlan-vdsm' chain='ipv4'> <filterref filter='clean-traffic'/> <rule action='drop' direction='out' priority='10'> <mac match='no' dstmacaddr='$GATEWAY_MAC'/> </rule> </filter> Thanks, Now it is blocking the traffic but I can't get traffic to the gateway as well... That's odd. Can you ping the gateway from the VM? Is it typically
On 11/09/2011 04:01 AM, Shahar Havivi wrote: ping-able? Are you sure you specified the correct MAC addresses -- check with 'arp -n' on a host in the same subnet and see what it shows for the gateway (ping it if you don't see an entry).
Stefan It's working only when I remove the line <filterref filter='clean-traffic'/> from the filter...
While you ping the gateway, can you re-add the above line to the filter?
Stefan its working, even when stopping the ping and re-pinging the gateway, but it stop working after I stop and started the VM.