<tt>Shahar Havivi <shaharh@redhat.com> wrote on 06/20/2011 07:39:35 AM: > From: Shahar Havivi <shaharh@redhat.com></tt> <tt>> To: libvirt-list@redhat.com</tt> <tt>> Cc: Stefan Berger/Watson/IBM@IBMUS</tt> <tt>> Date: 06/20/2011 07:42 AM</tt> <tt>> Subject: nwfilter: limit VM traffic to specific MAC</tt> <tt>> > Hi, > I am trying to add custom filter to block VM traffic to other VMs by limiting > the traffic only to the gateways MAC address. > The filter XML: > > <filter name='rhev' chain='root'> > <uuid>cd4e5890-ccc9-1b0f-303f-e7fe7123646d</uuid> > <filterref filter='allow-dhcp'/> > <rule action='drop' direction='out' priority='500'> > <mac match='no' dstmacaddr='$MAC'/> > </rule> > </filter></tt> <tt>> > The MAC is not the interface MAC address it's the gateways MAC that pass as a > parameter (I use the gateway address hardcoded as well). > > The VM is getting DHCP ip but cannot get any traffic, > I notice that when I edit (comment and uncomment) the drop rule, thefilter is > working fine, ie no traffic other then the gateway. > > 1. Am I doing something wrong? </tt> <tt>Try to put the concret MAC address of the gateway into the dstmacaddr field. $MAC is going to be translated to the MAC address of the interface. Once it works, try using $GATEWAY_MAC and have that defined via <parameter name='GATEWAY_MAC' value='a.b.c.d'/> from wherever you are referencing the 'rhev' filter.</tt> <tt>The DHCP server must be running on the gateway.</tt> <tt>> 1. What is the table name that libvirt use for ebtables?</tt> <tt>It's the 'nat' table : 'ebtables -t nat -L' shows you the resulting rules.</tt> <tt> Stefan</tt> <tt> > > Shahar. </tt>