[libvirt] nwfilter - limit VM traffic to specific mac address

Shahar Havivi shaharh at redhat.com
Wed Nov 9 12:44:19 UTC 2011 

On 09.11.11 06:44, Stefan Berger wrote:
> On 11/09/2011 04:01 AM, Shahar Havivi wrote:
> >On 08.11.11 16:34, Stefan Berger wrote:
> >>On 11/07/2011 04:25 AM, Shahar Havivi wrote:
> >>>Hi,
> >>>
> >>>I want to limit VM traffic to a specific MAC address, ie VMs cannot
> >>>traffic each other other then a specific gateway.
> >>>
> >>>I am using custom nwfilter name: isolatedprivatevlan-vdsm.xml
> >>>located in /etc/libvirt/nwfilter/:
> >>>
> >>><filter name='isolatedprivatevlan-vdsm' chain='root'>
> >>>     <filterref filter='clean-traffic'/>
> >>>     <rule action='drop' direction='out' priority='500'>
> >>>         <mac match='no' dstmacaddr='$GATEWAY_MAC'/>
> >>>     </rule>
> >>></filter>
> >>>
> >>Try this one -- it works in 'my' subnet:
> >>
> >><filter name='isolatedprivatevlan-vdsm' chain='ipv4'>
> >>     <filterref filter='clean-traffic'/>
> >>     <rule action='drop' direction='out' priority='10'>
> >>         <mac match='no' dstmacaddr='$GATEWAY_MAC'/>
> >>     </rule>
> >></filter>
> >Thanks,
> >Now it is blocking the traffic but I can't get traffic to the gateway as
> >well...
> That's odd. Can you ping the gateway from the VM? Is it typically
> ping-able? Are you sure you specified the correct MAC addresses --
> check with 'arp -n' on a host in the same subnet and see what it
> shows for the gateway (ping it if you don't see an entry).
> 
>     Stefan
It's working only when I remove the line 
    <filterref filter='clean-traffic'/>
from the filter...

> >>>VM1 domian xml portion:
> >>><interface type="bridge">
> >>>     <mac address="00:1a:4a:16:01:53"/>
> >>>     <model type="virtio"/>
> >>>     <source bridge="red"/>
> >>>     <filterref filter="isolatedprivatevlan-vdsm">
> >>>         <parameter name="GATEWAY_MAC" value="00:00:0c:07:ac:00"/>
> >>>     </filterref>
> >>></interface>
> >>>
> >>>
> >>>VM2 domian xml portion:
> >>><interface type="bridge">
> >>>     <mac address="00:1a:4a:16:01:52"/>
> >>>     <model type="virtio"/>
> >>>     <source bridge="red"/>
> >>>     <filterref filter="isolatedprivatevlan-vdsm">
> >>>         <parameter name="GATEWAY_MAC" value="00:00:0c:07:ac:00"/>
> >>>     </filterref>
> >>></interface>
> >>>
> >>>
> >>>in each VM (Fedora 15 LiveCD) I assign ip:
> >>># ifconfig eth0 10.35.1.240 netmask 255.255.254.0
> >>># route add default gw 10.35.1.1
> >>>
> >>>vm2:
> >>># ifconfig eth0 10.35.1.241 netmask 255.255.254.0
> >>># route add default gw 10.35.1.1
> >>>
> >>>but the filter is not working,
> >>>I can ping the VMs from each other,
> >>>
> >>>Am I missing something?
> >>Try the above filter that puts the check into a different 'chain'
> >>into different order. I'll be introducing a 'mac' chain where this
> >>can then be put into rather than into the 'ipv4' chain.
> >>The challenging part about the filtering rules is their order and
> >>the XML can unfortunately not abstract this 'away'.
> >>
> >>    Stefan
> >>
> >>
> >>>Thanks,
> >>>Shahar Havivi.
> >>>
> >>>--
> >>>libvir-list mailing list
> >>>libvir-list at redhat.com
> >>>https://www.redhat.com/mailman/listinfo/libvir-list
> >>>
>

More information about the libvir-list mailing list