[libvirt] nwfilter - limit VM traffic to specific mac address

Shahar Havivi shaharh at redhat.com
Thu Nov 10 10:21:43 UTC 2011 

On 10.11.11 11:30, Shahar Havivi wrote:
> On 09.11.11 10:49, Stefan Berger wrote:
> > On 11/09/2011 09:38 AM, Shahar Havivi wrote:
> > >On 09.11.11 09:20, Stefan Berger wrote:
> > >>On 11/09/2011 07:44 AM, Shahar Havivi wrote:
> > >>>On 09.11.11 06:44, Stefan Berger wrote:
> > >>>>On 11/09/2011 04:01 AM, Shahar Havivi wrote:
> > >>>>>On 08.11.11 16:34, Stefan Berger wrote:
> > >>>>>>On 11/07/2011 04:25 AM, Shahar Havivi wrote:
> > >>>>>>>Hi,
> > >>>>>>>
> > >>>>>>>I want to limit VM traffic to a specific MAC address, ie VMs cannot
> > >>>>>>>traffic each other other then a specific gateway.
> > >>>>>>>
> > >>>>>>>I am using custom nwfilter name: isolatedprivatevlan-vdsm.xml
> > >>>>>>>located in /etc/libvirt/nwfilter/:
> > >>>>>>>
> > >>>>>>><filter name='isolatedprivatevlan-vdsm' chain='root'>
> > >>>>>>>     <filterref filter='clean-traffic'/>
> > >>>>>>>     <rule action='drop' direction='out' priority='500'>
> > >>>>>>>         <mac match='no' dstmacaddr='$GATEWAY_MAC'/>
> > >>>>>>>     </rule>
> > >>>>>>></filter>
> > >>>>>>>
> > >>>>>>Try this one -- it works in 'my' subnet:
> > >>>>>>
> > >>>>>><filter name='isolatedprivatevlan-vdsm' chain='ipv4'>
> > >>>>>>     <filterref filter='clean-traffic'/>
> > >>>>>>     <rule action='drop' direction='out' priority='10'>
> > >>>>>>         <mac match='no' dstmacaddr='$GATEWAY_MAC'/>
> > >>>>>>     </rule>
> > >>>>>></filter>
> > >>>>>Thanks,
> > >>>>>Now it is blocking the traffic but I can't get traffic to the gateway as
> > >>>>>well...
> > >>>>That's odd. Can you ping the gateway from the VM? Is it typically
> > >>>>ping-able? Are you sure you specified the correct MAC addresses --
> > >>>>check with 'arp -n' on a host in the same subnet and see what it
> > >>>>shows for the gateway (ping it if you don't see an entry).
> > >>>>
> > >>>>     Stefan
> > >>>It's working only when I remove the line
> > >>>     <filterref filter='clean-traffic'/>
> > >>>from the filter...
> > >>While you ping the gateway, can you re-add the above line to the filter?
> > >>
> > >>    Stefan
> > >its working, even when stopping the ping and re-pinging the gateway,
> > >but it stop working after I stop and started the VM.
> > >
> > How does the VM get its IP address, static or DHCP ? If DHCP, could
> > you try a static IP address?
> > 
> > In case it doesn't work, what does 'ebtables -t nat -L' show and
> > which IP address is assigned to the VM's interface?
> > 
> >    Stefan
> static ip, the ebtables output show ip 0.0.0.0 for the VM mac address:
> 
> Bridge chain: I-vnet0-rarp, entries: 2, policy: ACCEPT
> -p 0x8035 -s 0:1a:4a:16:1:52 -d Broadcast --arp-op Request_Reverse
> --arp-ip-src 0.0.0.0 --arp-ip-dst 0.0.0.0 --arp-mac-src 0:1a:4a:16:1:52
> --arp-mac-dst 0:1a:4a:16:1:52 -j ACCEPT
> -j DROP
> 
> Bridge chain: O-vnet0-rarp, entries: 2, policy: ACCEPT
> -p 0x8035 -d Broadcast --arp-op Request_Reverse --arp-ip-src 0.0.0.0
> --arp-ip-dst 0.0.0.0 --arp-mac-src 0:1a:4a:16:1:52 --arp-mac-dst
> 0:1a:4a:16:1:52 -j ACCEPT 
> -j DROP
> 
> 
> How can I set the IP in the case?
Ok,
its working when I set the IP in the filter:
<filterref filter='clean-traffic'>
    <parameter name='IP' value='10.35.16.50'/>
</filterref>

I guess its the only solution...?
> > 
> 
> --
> libvir-list mailing list
> libvir-list at redhat.com
> https://www.redhat.com/mailman/listinfo/libvir-list

More information about the libvir-list mailing list