Re: [libvirt] nwfilter - limit VM traffic to specific mac address

Wed, 09 Nov 2011 03:54:40 -0800 

On 11/09/2011 04:01 AM, Shahar Havivi wrote:

On 08.11.11 16:34, Stefan Berger wrote:

On 11/07/2011 04:25 AM, Shahar Havivi wrote:

Hi,

I want to limit VM traffic to a specific MAC address, ie VMs cannot
traffic each other other then a specific gateway.

I am using custom nwfilter name: isolatedprivatevlan-vdsm.xml
located in /etc/libvirt/nwfilter/:

<filter name='isolatedprivatevlan-vdsm' chain='root'>
     <filterref filter='clean-traffic'/>
     <rule action='drop' direction='out' priority='500'>
         <mac match='no' dstmacaddr='$GATEWAY_MAC'/>
     </rule>
</filter>


Try this one -- it works in 'my' subnet:

<filter name='isolatedprivatevlan-vdsm' chain='ipv4'>
     <filterref filter='clean-traffic'/>
     <rule action='drop' direction='out' priority='10'>
         <mac match='no' dstmacaddr='$GATEWAY_MAC'/>
     </rule>
</filter>

Thanks,
Now it is blocking the traffic but I can't get traffic to the gateway as
well...
That's odd. Can you ping the gateway from the VM? Is it typically ping-able? Are you sure you specified the correct MAC addresses -- check with 'arp -n' on a host in the same subnet and see what it shows for the gateway (ping it if you don't see an entry). 

    Stefan



VM1 domian xml portion:
<interface type="bridge">
     <mac address="00:1a:4a:16:01:53"/>
     <model type="virtio"/>
     <source bridge="red"/>
     <filterref filter="isolatedprivatevlan-vdsm">
         <parameter name="GATEWAY_MAC" value="00:00:0c:07:ac:00"/>
     </filterref>
</interface>


VM2 domian xml portion:
<interface type="bridge">
     <mac address="00:1a:4a:16:01:52"/>
     <model type="virtio"/>
     <source bridge="red"/>
     <filterref filter="isolatedprivatevlan-vdsm">
         <parameter name="GATEWAY_MAC" value="00:00:0c:07:ac:00"/>
     </filterref>
</interface>


in each VM (Fedora 15 LiveCD) I assign ip:
# ifconfig eth0 10.35.1.240 netmask 255.255.254.0
# route add default gw 10.35.1.1

vm2:
# ifconfig eth0 10.35.1.241 netmask 255.255.254.0
# route add default gw 10.35.1.1

but the filter is not working,
I can ping the VMs from each other,

Am I missing something?

Try the above filter that puts the check into a different 'chain'
into different order. I'll be introducing a 'mac' chain where this
can then be put into rather than into the 'ipv4' chain.
The challenging part about the filtering rules is their order and
the XML can unfortunately not abstract this 'away'.

    Stefan



Thanks,
Shahar Havivi.

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list



--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Reply via email to