[libvirt] nwfilter - limit VM traffic to specific mac address
Stefan Berger
stefanb at linux.vnet.ibm.com
Wed Nov 9 14:20:40 UTC 2011
On 11/09/2011 07:44 AM, Shahar Havivi wrote:
> On 09.11.11 06:44, Stefan Berger wrote:
>> On 11/09/2011 04:01 AM, Shahar Havivi wrote:
>>> On 08.11.11 16:34, Stefan Berger wrote:
>>>> On 11/07/2011 04:25 AM, Shahar Havivi wrote:
>>>>> Hi,
>>>>>
>>>>> I want to limit VM traffic to a specific MAC address, ie VMs cannot
>>>>> traffic each other other then a specific gateway.
>>>>>
>>>>> I am using custom nwfilter name: isolatedprivatevlan-vdsm.xml
>>>>> located in /etc/libvirt/nwfilter/:
>>>>>
>>>>> <filter name='isolatedprivatevlan-vdsm' chain='root'>
>>>>> <filterref filter='clean-traffic'/>
>>>>> <rule action='drop' direction='out' priority='500'>
>>>>> <mac match='no' dstmacaddr='$GATEWAY_MAC'/>
>>>>> </rule>
>>>>> </filter>
>>>>>
>>>> Try this one -- it works in 'my' subnet:
>>>>
>>>> <filter name='isolatedprivatevlan-vdsm' chain='ipv4'>
>>>> <filterref filter='clean-traffic'/>
>>>> <rule action='drop' direction='out' priority='10'>
>>>> <mac match='no' dstmacaddr='$GATEWAY_MAC'/>
>>>> </rule>
>>>> </filter>
>>> Thanks,
>>> Now it is blocking the traffic but I can't get traffic to the gateway as
>>> well...
>> That's odd. Can you ping the gateway from the VM? Is it typically
>> ping-able? Are you sure you specified the correct MAC addresses --
>> check with 'arp -n' on a host in the same subnet and see what it
>> shows for the gateway (ping it if you don't see an entry).
>>
>> Stefan
> It's working only when I remove the line
> <filterref filter='clean-traffic'/>
> from the filter...
>
While you ping the gateway, can you re-add the above line to the filter?
Stefan
More information about the libvir-list
mailing list