[libvirt] nwfilter - limit VM traffic to specific mac address

Stefan Berger stefanb at linux.vnet.ibm.com
Wed Nov 9 15:49:31 UTC 2011 

On 11/09/2011 09:38 AM, Shahar Havivi wrote:
> On 09.11.11 09:20, Stefan Berger wrote:
>> On 11/09/2011 07:44 AM, Shahar Havivi wrote:
>>> On 09.11.11 06:44, Stefan Berger wrote:
>>>> On 11/09/2011 04:01 AM, Shahar Havivi wrote:
>>>>> On 08.11.11 16:34, Stefan Berger wrote:
>>>>>> On 11/07/2011 04:25 AM, Shahar Havivi wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> I want to limit VM traffic to a specific MAC address, ie VMs cannot
>>>>>>> traffic each other other then a specific gateway.
>>>>>>>
>>>>>>> I am using custom nwfilter name: isolatedprivatevlan-vdsm.xml
>>>>>>> located in /etc/libvirt/nwfilter/:
>>>>>>>
>>>>>>> <filter name='isolatedprivatevlan-vdsm' chain='root'>
>>>>>>>      <filterref filter='clean-traffic'/>
>>>>>>>      <rule action='drop' direction='out' priority='500'>
>>>>>>>          <mac match='no' dstmacaddr='$GATEWAY_MAC'/>
>>>>>>>      </rule>
>>>>>>> </filter>
>>>>>>>
>>>>>> Try this one -- it works in 'my' subnet:
>>>>>>
>>>>>> <filter name='isolatedprivatevlan-vdsm' chain='ipv4'>
>>>>>>      <filterref filter='clean-traffic'/>
>>>>>>      <rule action='drop' direction='out' priority='10'>
>>>>>>          <mac match='no' dstmacaddr='$GATEWAY_MAC'/>
>>>>>>      </rule>
>>>>>> </filter>
>>>>> Thanks,
>>>>> Now it is blocking the traffic but I can't get traffic to the gateway as
>>>>> well...
>>>> That's odd. Can you ping the gateway from the VM? Is it typically
>>>> ping-able? Are you sure you specified the correct MAC addresses --
>>>> check with 'arp -n' on a host in the same subnet and see what it
>>>> shows for the gateway (ping it if you don't see an entry).
>>>>
>>>>      Stefan
>>> It's working only when I remove the line
>>>      <filterref filter='clean-traffic'/>
>> >from the filter...
>> While you ping the gateway, can you re-add the above line to the filter?
>>
>>     Stefan
> its working, even when stopping the ping and re-pinging the gateway,
> but it stop working after I stop and started the VM.
>
How does the VM get its IP address, static or DHCP ? If DHCP, could you 
try a static IP address?

In case it doesn't work, what does 'ebtables -t nat -L' show and which 
IP address is assigned to the VM's interface?

    Stefan

More information about the libvir-list mailing list