[libvirt] nwfilter: limit VM traffic to specific MAC

Shahar Havivi shaharh at redhat.com
Mon Jun 20 12:11:43 UTC 2011


On 20.06.11 08:02, Stefan Berger wrote:
> Shahar Havivi <shaharh at redhat.com> wrote on 06/20/2011 07:39:35 AM:
> 
> > From: Shahar Havivi <shaharh at redhat.com>
> > To: libvirt-list at redhat.com
> > Cc: Stefan Berger/Watson/IBM at IBMUS
> > Date: 06/20/2011 07:42 AM
> > Subject: nwfilter: limit VM traffic to specific MAC
> > 
> > Hi,
> > I am trying to add custom filter to block VM traffic to other VMs by 
> limiting
> > the traffic only to the gateways MAC address.
> > The filter XML:
> > 
> > <filter name='rhev' chain='root'>
> >     <uuid>cd4e5890-ccc9-1b0f-303f-e7fe7123646d</uuid>
> >     <filterref filter='allow-dhcp'/>
> >     <rule action='drop' direction='out' priority='500'>
> >         <mac match='no' dstmacaddr='$MAC'/>
> >     </rule>
> > </filter>
> 
> > 
> > The MAC is not the interface MAC address it's the gateways MAC that pass 
> as a
> > parameter (I use the gateway address hardcoded as well).
> > 
> > The VM is getting DHCP ip but cannot get any traffic,
> > I notice that when I edit (comment and uncomment) the drop rule, 
> thefilter is
> > working fine, ie no traffic other then the gateway.
> > 
> > 1. Am I doing something wrong?
> 
> Try to put the concret MAC address of the gateway into the dstmacaddr 
> field. $MAC is going to be translated to the MAC address of the interface. 
> Once it works, try using $GATEWAY_MAC and have that defined via <parameter 
> name='GATEWAY_MAC' value='a.b.c.d'/> from wherever you are referencing the 
> 'rhev' filter.
> 
> The DHCP server must be running on the gateway.
Thank you Stefan,
Instead of adding 'allow-dhcp' filter, can I white list 2 mac addresses,
the gateway and the dhcp server?

<rule action='drop' direction='out' priority='500'>
    <mac match='no' dstmacaddr='$GATEWAY_MAC'/>
</rule>
<rule action='drop' direction='out' priority='500'>
    <mac match='no' dstmacaddr='$DHCP_MAC'/>
</rule>

> 
> > 1. What is the table name that libvirt use for ebtables?
> 
> It's the 'nat' table : 'ebtables -t nat -L' shows you the resulting rules.
> 
>    Stefan
> 
> > 
> > Shahar.




More information about the libvir-list mailing list