[libvirt] nwfilter - limit VM traffic to specific mac address

Shahar Havivi shaharh at redhat.com
Wed Nov 9 09:01:01 UTC 2011 

On 08.11.11 16:34, Stefan Berger wrote:
> On 11/07/2011 04:25 AM, Shahar Havivi wrote:
> >Hi,
> >
> >I want to limit VM traffic to a specific MAC address, ie VMs cannot
> >traffic each other other then a specific gateway.
> >
> >I am using custom nwfilter name: isolatedprivatevlan-vdsm.xml
> >located in /etc/libvirt/nwfilter/:
> >
> ><filter name='isolatedprivatevlan-vdsm' chain='root'>
> >     <filterref filter='clean-traffic'/>
> >     <rule action='drop' direction='out' priority='500'>
> >         <mac match='no' dstmacaddr='$GATEWAY_MAC'/>
> >     </rule>
> ></filter>
> >
> Try this one -- it works in 'my' subnet:
> 
> <filter name='isolatedprivatevlan-vdsm' chain='ipv4'>
>     <filterref filter='clean-traffic'/>
>     <rule action='drop' direction='out' priority='10'>
>         <mac match='no' dstmacaddr='$GATEWAY_MAC'/>
>     </rule>
> </filter>
Thanks,
Now it is blocking the traffic but I can't get traffic to the gateway as
well...
> 
> 
> >VM1 domian xml portion:
> ><interface type="bridge">
> >     <mac address="00:1a:4a:16:01:53"/>
> >     <model type="virtio"/>
> >     <source bridge="red"/>
> >     <filterref filter="isolatedprivatevlan-vdsm">
> >         <parameter name="GATEWAY_MAC" value="00:00:0c:07:ac:00"/>
> >     </filterref>
> ></interface>
> >
> >
> >VM2 domian xml portion:
> ><interface type="bridge">
> >     <mac address="00:1a:4a:16:01:52"/>
> >     <model type="virtio"/>
> >     <source bridge="red"/>
> >     <filterref filter="isolatedprivatevlan-vdsm">
> >         <parameter name="GATEWAY_MAC" value="00:00:0c:07:ac:00"/>
> >     </filterref>
> ></interface>
> >
> >
> >in each VM (Fedora 15 LiveCD) I assign ip:
> ># ifconfig eth0 10.35.1.240 netmask 255.255.254.0
> ># route add default gw 10.35.1.1
> >
> >vm2:
> ># ifconfig eth0 10.35.1.241 netmask 255.255.254.0
> ># route add default gw 10.35.1.1
> >
> >but the filter is not working,
> >I can ping the VMs from each other,
> >
> >Am I missing something?
> Try the above filter that puts the check into a different 'chain'
> into different order. I'll be introducing a 'mac' chain where this
> can then be put into rather than into the 'ipv4' chain.
> The challenging part about the filtering rules is their order and
> the XML can unfortunately not abstract this 'away'.
> 
>    Stefan
> 
> 
> >Thanks,
> >Shahar Havivi.
> >
> >--
> >libvir-list mailing list
> >libvir-list at redhat.com
> >https://www.redhat.com/mailman/listinfo/libvir-list
> >
>

More information about the libvir-list mailing list