[libvirt] nwfilter - limit VM traffic to specific mac address
Shahar Havivi
shaharh at redhat.com
Mon Nov 7 09:25:41 UTC 2011
Hi,
I want to limit VM traffic to a specific MAC address, ie VMs cannot
traffic each other other then a specific gateway.
I am using custom nwfilter name: isolatedprivatevlan-vdsm.xml
located in /etc/libvirt/nwfilter/:
<filter name='isolatedprivatevlan-vdsm' chain='root'>
<filterref filter='clean-traffic'/>
<rule action='drop' direction='out' priority='500'>
<mac match='no' dstmacaddr='$GATEWAY_MAC'/>
</rule>
</filter>
VM1 domian xml portion:
<interface type="bridge">
<mac address="00:1a:4a:16:01:53"/>
<model type="virtio"/>
<source bridge="red"/>
<filterref filter="isolatedprivatevlan-vdsm">
<parameter name="GATEWAY_MAC" value="00:00:0c:07:ac:00"/>
</filterref>
</interface>
VM2 domian xml portion:
<interface type="bridge">
<mac address="00:1a:4a:16:01:52"/>
<model type="virtio"/>
<source bridge="red"/>
<filterref filter="isolatedprivatevlan-vdsm">
<parameter name="GATEWAY_MAC" value="00:00:0c:07:ac:00"/>
</filterref>
</interface>
in each VM (Fedora 15 LiveCD) I assign ip:
# ifconfig eth0 10.35.1.240 netmask 255.255.254.0
# route add default gw 10.35.1.1
vm2:
# ifconfig eth0 10.35.1.241 netmask 255.255.254.0
# route add default gw 10.35.1.1
but the filter is not working,
I can ping the VMs from each other,
Am I missing something?
Thanks,
Shahar Havivi.
More information about the libvir-list
mailing list