[libvirt] nwfilter: limit VM traffic to specific MAC
Hi, I am trying to add custom filter to block VM traffic to other VMs by limiting the traffic only to the gateways MAC address. The filter XML: <filter name='rhev' chain='root'> <uuid>cd4e5890-ccc9-1b0f-303f-e7fe7123646d</uuid> <filterref filter='allow-dhcp'/> <rule action='drop' direction='out' priority='500'> <mac match='no' dstmacaddr='$MAC'/> </rule> </filter> The MAC is not the interface MAC address it's the gateways MAC that pass as a parameter (I use the gateway address hardcoded as well). The VM is getting DHCP ip but cannot get any traffic, I notice that when I edit (comment and uncomment) the drop rule, the filter is working fine, ie no traffic other then the gateway. 1. Am I doing something wrong? 1. What is the table name that libvirt use for ebtables? Shahar.
From: Shahar Havivi <shaharh@redhat.com> To: libvirt-list@redhat.com Cc: Stefan Berger/Watson/IBM@IBMUS Date: 06/20/2011 07:42 AM Subject: nwfilter: limit VM traffic to specific MAC
Hi, I am trying to add custom filter to block VM traffic to other VMs by
Shahar Havivi <shaharh@redhat.com> wrote on 06/20/2011 07:39:35 AM: limiting
the traffic only to the gateways MAC address. The filter XML:
<filter name='rhev' chain='root'> <uuid>cd4e5890-ccc9-1b0f-303f-e7fe7123646d</uuid> <filterref filter='allow-dhcp'/> <rule action='drop' direction='out' priority='500'> <mac match='no' dstmacaddr='$MAC'/> </rule> </filter>
The MAC is not the interface MAC address it's the gateways MAC that pass
parameter (I use the gateway address hardcoded as well).
The VM is getting DHCP ip but cannot get any traffic, I notice that when I edit (comment and uncomment) the drop rule,
as a thefilter is
working fine, ie no traffic other then the gateway.
1. Am I doing something wrong?
Try to put the concret MAC address of the gateway into the dstmacaddr field. $MAC is going to be translated to the MAC address of the interface. Once it works, try using $GATEWAY_MAC and have that defined via <parameter name='GATEWAY_MAC' value='a.b.c.d'/> from wherever you are referencing the 'rhev' filter. The DHCP server must be running on the gateway.
1. What is the table name that libvirt use for ebtables?
It's the 'nat' table : 'ebtables -t nat -L' shows you the resulting rules. Stefan
Shahar.
Shahar Havivi <shaharh@redhat.com> wrote on 06/20/2011 07:39:35 AM:
From: Shahar Havivi <shaharh@redhat.com> To: libvirt-list@redhat.com Cc: Stefan Berger/Watson/IBM@IBMUS Date: 06/20/2011 07:42 AM Subject: nwfilter: limit VM traffic to specific MAC
Hi, I am trying to add custom filter to block VM traffic to other VMs by limiting the traffic only to the gateways MAC address. The filter XML:
<filter name='rhev' chain='root'> <uuid>cd4e5890-ccc9-1b0f-303f-e7fe7123646d</uuid> <filterref filter='allow-dhcp'/> <rule action='drop' direction='out' priority='500'> <mac match='no' dstmacaddr='$MAC'/> </rule> </filter>
The MAC is not the interface MAC address it's the gateways MAC that pass
parameter (I use the gateway address hardcoded as well).
The VM is getting DHCP ip but cannot get any traffic, I notice that when I edit (comment and uncomment) the drop rule,
as a thefilter is
working fine, ie no traffic other then the gateway.
1. Am I doing something wrong?
Try to put the concret MAC address of the gateway into the dstmacaddr field. $MAC is going to be translated to the MAC address of the interface. Once it works, try using $GATEWAY_MAC and have that defined via <parameter name='GATEWAY_MAC' value='a.b.c.d'/> from wherever you are referencing the 'rhev' filter.
The DHCP server must be running on the gateway. Thank you Stefan, Instead of adding 'allow-dhcp' filter, can I white list 2 mac addresses,
On 20.06.11 08:02, Stefan Berger wrote: the gateway and the dhcp server? <rule action='drop' direction='out' priority='500'> <mac match='no' dstmacaddr='$GATEWAY_MAC'/> </rule> <rule action='drop' direction='out' priority='500'> <mac match='no' dstmacaddr='$DHCP_MAC'/> </rule>
1. What is the table name that libvirt use for ebtables?
It's the 'nat' table : 'ebtables -t nat -L' shows you the resulting rules.
Stefan
Shahar.
Shahar Havivi <shaharh@redhat.com> wrote on 06/20/2011 08:11:43 AM:
From: Shahar Havivi <shaharh@redhat.com> To: Stefan Berger/Watson/IBM@IBMUS Cc: libvirt-list@redhat.com Date: 06/20/2011 08:13 AM Subject: Re: nwfilter: limit VM traffic to specific MAC
On 20.06.11 08:02, Stefan Berger wrote:
Shahar Havivi <shaharh@redhat.com> wrote on 06/20/2011 07:39:35 AM:
From: Shahar Havivi <shaharh@redhat.com> To: libvirt-list@redhat.com Cc: Stefan Berger/Watson/IBM@IBMUS Date: 06/20/2011 07:42 AM Subject: nwfilter: limit VM traffic to specific MAC
Hi, I am trying to add custom filter to block VM traffic to other VMs by
limiting
the traffic only to the gateways MAC address. The filter XML:
<filter name='rhev' chain='root'> <uuid>cd4e5890-ccc9-1b0f-303f-e7fe7123646d</uuid> <filterref filter='allow-dhcp'/> <rule action='drop' direction='out' priority='500'> <mac match='no' dstmacaddr='$MAC'/> </rule> </filter>
The MAC is not the interface MAC address it's the gateways MAC that
parameter (I use the gateway address hardcoded as well).
The VM is getting DHCP ip but cannot get any traffic, I notice that when I edit (comment and uncomment) the drop rule,
pass as a thefilter is
working fine, ie no traffic other then the gateway.
1. Am I doing something wrong?
Try to put the concret MAC address of the gateway into the dstmacaddr field. $MAC is going to be translated to the MAC address of the interface. Once it works, try using $GATEWAY_MAC and have that defined via <parameter name='GATEWAY_MAC' value='a.b.c.d'/> from wherever you are referencing the 'rhev' filter.
The DHCP server must be running on the gateway. Thank you Stefan, Instead of adding 'allow-dhcp' filter, can I white list 2 mac addresses, the gateway and the dhcp server?
<rule action='drop' direction='out' priority='500'> <mac match='no' dstmacaddr='$GATEWAY_MAC'/> </rule> <rule action='drop' direction='out' priority='500'> <mac match='no' dstmacaddr='$DHCP_MAC'/> </rule>
Unfortunately that would not work. Stefan
participants (2)
-
Shahar Havivi -
Stefan Berger