Shahar Havivi <shah...@redhat.com> wrote on 06/20/2011 08:11:43 AM: > From: Shahar Havivi <shah...@redhat.com> > To: Stefan Berger/Watson/IBM@IBMUS > Cc: libvirt-l...@redhat.com > Date: 06/20/2011 08:13 AM > Subject: Re: nwfilter: limit VM traffic to specific MAC > > On 20.06.11 08:02, Stefan Berger wrote: > > Shahar Havivi <shah...@redhat.com> wrote on 06/20/2011 07:39:35 AM: > > > > > From: Shahar Havivi <shah...@redhat.com> > > > To: libvirt-l...@redhat.com > > > Cc: Stefan Berger/Watson/IBM@IBMUS > > > Date: 06/20/2011 07:42 AM > > > Subject: nwfilter: limit VM traffic to specific MAC > > > > > > Hi, > > > I am trying to add custom filter to block VM traffic to other VMs by
> > limiting > > > the traffic only to the gateways MAC address. > > > The filter XML: > > > > > > <filter name='rhev' chain='root'> > > > <uuid>cd4e5890-ccc9-1b0f-303f-e7fe7123646d</uuid> > > > <filterref filter='allow-dhcp'/> > > > <rule action='drop' direction='out' priority='500'> > > > <mac match='no' dstmacaddr='$MAC'/> > > > </rule> > > > </filter> > > > > > > > > The MAC is not the interface MAC address it's the gateways MAC that pass > > as a > > > parameter (I use the gateway address hardcoded as well). > > > > > > The VM is getting DHCP ip but cannot get any traffic, > > > I notice that when I edit (comment and uncomment) the drop rule, > > thefilter is > > > working fine, ie no traffic other then the gateway. > > > > > > 1. Am I doing something wrong? > > > > Try to put the concret MAC address of the gateway into the dstmacaddr > > field. $MAC is going to be translated to the MAC address of the interface. > > Once it works, try using $GATEWAY_MAC and have that defined via <parameter > > name='GATEWAY_MAC' value='a.b.c.d'/> from wherever you are referencing the > > 'rhev' filter. > > > > The DHCP server must be running on the gateway. > Thank you Stefan, > Instead of adding 'allow-dhcp' filter, can I white list 2 mac addresses, > the gateway and the dhcp server? > > <rule action='drop' direction='out' priority='500'> > <mac match='no' dstmacaddr='$GATEWAY_MAC'/> > </rule> > <rule action='drop' direction='out' priority='500'> > <mac match='no' dstmacaddr='$DHCP_MAC'/> > </rule> Unfortunately that would not work. Stefan
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list