[libvirt] nwfilter: limit VM traffic to specific MAC

Stefan Berger stefanb at us.ibm.com
Mon Jun 20 12:20:02 UTC 2011 

Shahar Havivi <shaharh at redhat.com> wrote on 06/20/2011 08:11:43 AM:

> From: Shahar Havivi <shaharh at redhat.com>
> To: Stefan Berger/Watson/IBM at IBMUS
> Cc: libvirt-list at redhat.com
> Date: 06/20/2011 08:13 AM
> Subject: Re: nwfilter: limit VM traffic to specific MAC
> 
> On 20.06.11 08:02, Stefan Berger wrote:
> > Shahar Havivi <shaharh at redhat.com> wrote on 06/20/2011 07:39:35 AM:
> > 
> > > From: Shahar Havivi <shaharh at redhat.com>
> > > To: libvirt-list at redhat.com
> > > Cc: Stefan Berger/Watson/IBM at IBMUS
> > > Date: 06/20/2011 07:42 AM
> > > Subject: nwfilter: limit VM traffic to specific MAC
> > > 
> > > Hi,
> > > I am trying to add custom filter to block VM traffic to other VMs by 

> > limiting
> > > the traffic only to the gateways MAC address.
> > > The filter XML:
> > > 
> > > <filter name='rhev' chain='root'>
> > >     <uuid>cd4e5890-ccc9-1b0f-303f-e7fe7123646d</uuid>
> > >     <filterref filter='allow-dhcp'/>
> > >     <rule action='drop' direction='out' priority='500'>
> > >         <mac match='no' dstmacaddr='$MAC'/>
> > >     </rule>
> > > </filter>
> > 
> > > 
> > > The MAC is not the interface MAC address it's the gateways MAC that 
pass 
> > as a
> > > parameter (I use the gateway address hardcoded as well).
> > > 
> > > The VM is getting DHCP ip but cannot get any traffic,
> > > I notice that when I edit (comment and uncomment) the drop rule, 
> > thefilter is
> > > working fine, ie no traffic other then the gateway.
> > > 
> > > 1. Am I doing something wrong?
> > 
> > Try to put the concret MAC address of the gateway into the dstmacaddr 
> > field. $MAC is going to be translated to the MAC address of the 
interface. 
> > Once it works, try using $GATEWAY_MAC and have that defined via 
<parameter 
> > name='GATEWAY_MAC' value='a.b.c.d'/> from wherever you are referencing 
the 
> > 'rhev' filter.
> > 
> > The DHCP server must be running on the gateway.
> Thank you Stefan,
> Instead of adding 'allow-dhcp' filter, can I white list 2 mac addresses,
> the gateway and the dhcp server?
> 
> <rule action='drop' direction='out' priority='500'>
>     <mac match='no' dstmacaddr='$GATEWAY_MAC'/>
> </rule>
> <rule action='drop' direction='out' priority='500'>
>     <mac match='no' dstmacaddr='$DHCP_MAC'/>
> </rule>

Unfortunately that would not work. 

   Stefan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20110620/aa5f0b62/attachment-0001.htm>

More information about the libvir-list mailing list