[libvirt] nwfilter - limit VM traffic to specific mac address

Thu Nov 10 11:25:27 UTC 2011

On 10.11.11 06:25, Stefan Berger wrote:
> On 11/10/2011 05:21 AM, Shahar Havivi wrote:
> >On 10.11.11 11:30, Shahar Havivi wrote:
> >>On 09.11.11 10:49, Stefan Berger wrote:
> >>>On 11/09/2011 09:38 AM, Shahar Havivi wrote:
> >>>>On 09.11.11 09:20, Stefan Berger wrote:
> >>>>>On 11/09/2011 07:44 AM, Shahar Havivi wrote:
> >>>>>>On 09.11.11 06:44, Stefan Berger wrote:
> >>>>>>>On 11/09/2011 04:01 AM, Shahar Havivi wrote:
> >>>>>>>>On 08.11.11 16:34, Stefan Berger wrote:
> >>>>>>>>>On 11/07/2011 04:25 AM, Shahar Havivi wrote:
> >>>>>>>>>>Hi,
> >>>>>>>>>>
> >>>>>>>>>>I want to limit VM traffic to a specific MAC address, ie VMs cannot
> >>>>>>>>>>traffic each other other then a specific gateway.
> >>>>>>>>>>
> >>>>>>>>>>I am using custom nwfilter name: isolatedprivatevlan-vdsm.xml
> >>>>>>>>>>located in /etc/libvirt/nwfilter/:
> >>>>>>>>>>
> >>>>>>>>>><filter name='isolatedprivatevlan-vdsm' chain='root'>
> >>>>>>>>>>     <filterref filter='clean-traffic'/>
> >>>>>>>>>>     <rule action='drop' direction='out' priority='500'>
> >>>>>>>>>>         <mac match='no' dstmacaddr='$GATEWAY_MAC'/>
> >>>>>>>>>>     </rule>
> >>>>>>>>>></filter>
> >>>>>>>>>>
> >>>>>>>>>Try this one -- it works in 'my' subnet:
> >>>>>>>>>
> >>>>>>>>><filter name='isolatedprivatevlan-vdsm' chain='ipv4'>
> >>>>>>>>>     <filterref filter='clean-traffic'/>
> >>>>>>>>>     <rule action='drop' direction='out' priority='10'>
> >>>>>>>>>         <mac match='no' dstmacaddr='$GATEWAY_MAC'/>
> >>>>>>>>>     </rule>
> >>>>>>>>></filter>
> >>>>>>>>Thanks,
> >>>>>>>>Now it is blocking the traffic but I can't get traffic to the gateway as
> >>>>>>>>well...
> >>>>>>>That's odd. Can you ping the gateway from the VM? Is it typically
> >>>>>>>ping-able? Are you sure you specified the correct MAC addresses --
> >>>>>>>check with 'arp -n' on a host in the same subnet and see what it
> >>>>>>>shows for the gateway (ping it if you don't see an entry).
> >>>>>>>
> >>>>>>>     Stefan
> >>>>>>It's working only when I remove the line
> >>>>>>     <filterref filter='clean-traffic'/>
> >>>>>>from the filter...
> >>>>>While you ping the gateway, can you re-add the above line to the filter?
> >>>>>
> >>>>>    Stefan
> >>>>its working, even when stopping the ping and re-pinging the gateway,
> >>>>but it stop working after I stop and started the VM.
> >>>>
> >>>How does the VM get its IP address, static or DHCP ? If DHCP, could
> >>>you try a static IP address?
> >>>
> >>>In case it doesn't work, what does 'ebtables -t nat -L' show and
> >>>which IP address is assigned to the VM's interface?
> >>>
> >>>    Stefan
> >>static ip, the ebtables output show ip 0.0.0.0 for the VM mac address:
> >>
> >>Bridge chain: I-vnet0-rarp, entries: 2, policy: ACCEPT
> >>-p 0x8035 -s 0:1a:4a:16:1:52 -d Broadcast --arp-op Request_Reverse
> >>--arp-ip-src 0.0.0.0 --arp-ip-dst 0.0.0.0 --arp-mac-src 0:1a:4a:16:1:52
> >>--arp-mac-dst 0:1a:4a:16:1:52 -j ACCEPT
> >>-j DROP
> >>
> >>Bridge chain: O-vnet0-rarp, entries: 2, policy: ACCEPT
> >>-p 0x8035 -d Broadcast --arp-op Request_Reverse --arp-ip-src 0.0.0.0
> >>--arp-ip-dst 0.0.0.0 --arp-mac-src 0:1a:4a:16:1:52 --arp-mac-dst
> >>0:1a:4a:16:1:52 -j ACCEPT
> >>-j DROP
> >>
> >>
> >>How can I set the IP in the case?
> >Ok,
> >its working when I set the IP in the filter:
> ><filterref filter='clean-traffic'>
> >     <parameter name='IP' value='10.35.16.50'/>
> ></filterref>
> >
> >I guess its the only solution...?
> The IP address in the parameter XML node has to match the one
> assigned to the interface inside the VM. If they don't match nothing
> works. If you leave out the line '<parameter name=.../>' then this
> will start libvirt's IP address learning/detection that will lock
> your VM into the first IP address it detects that the VM is using on
> a particular interface. This should also work.
> 
>    Stefan
Thank you Stefan
> >>--
> >>libvir-list mailing list
> >>libvir-list at redhat.com
> >>https://www.redhat.com/mailman/listinfo/libvir-list
>