[libvirt] nwfilter: limit VM traffic to specific MAC
Stefan Berger
stefanb at us.ibm.com
Mon Jun 20 12:02:29 UTC 2011
Shahar Havivi <shaharh at redhat.com> wrote on 06/20/2011 07:39:35 AM:
> From: Shahar Havivi <shaharh at redhat.com>
> To: libvirt-list at redhat.com
> Cc: Stefan Berger/Watson/IBM at IBMUS
> Date: 06/20/2011 07:42 AM
> Subject: nwfilter: limit VM traffic to specific MAC
>
> Hi,
> I am trying to add custom filter to block VM traffic to other VMs by
limiting
> the traffic only to the gateways MAC address.
> The filter XML:
>
> <filter name='rhev' chain='root'>
> <uuid>cd4e5890-ccc9-1b0f-303f-e7fe7123646d</uuid>
> <filterref filter='allow-dhcp'/>
> <rule action='drop' direction='out' priority='500'>
> <mac match='no' dstmacaddr='$MAC'/>
> </rule>
> </filter>
>
> The MAC is not the interface MAC address it's the gateways MAC that pass
as a
> parameter (I use the gateway address hardcoded as well).
>
> The VM is getting DHCP ip but cannot get any traffic,
> I notice that when I edit (comment and uncomment) the drop rule,
thefilter is
> working fine, ie no traffic other then the gateway.
>
> 1. Am I doing something wrong?
Try to put the concret MAC address of the gateway into the dstmacaddr
field. $MAC is going to be translated to the MAC address of the interface.
Once it works, try using $GATEWAY_MAC and have that defined via <parameter
name='GATEWAY_MAC' value='a.b.c.d'/> from wherever you are referencing the
'rhev' filter.
The DHCP server must be running on the gateway.
> 1. What is the table name that libvirt use for ebtables?
It's the 'nat' table : 'ebtables -t nat -L' shows you the resulting rules.
Stefan
>
> Shahar.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20110620/db4dc8b0/attachment-0001.htm>
More information about the libvir-list
mailing list