On 09.11.11 09:20, Stefan Berger wrote: > On 11/09/2011 07:44 AM, Shahar Havivi wrote: > >On 09.11.11 06:44, Stefan Berger wrote: > >>On 11/09/2011 04:01 AM, Shahar Havivi wrote: > >>>On 08.11.11 16:34, Stefan Berger wrote: > >>>>On 11/07/2011 04:25 AM, Shahar Havivi wrote: > >>>>>Hi, > >>>>> > >>>>>I want to limit VM traffic to a specific MAC address, ie VMs cannot > >>>>>traffic each other other then a specific gateway. > >>>>> > >>>>>I am using custom nwfilter name: isolatedprivatevlan-vdsm.xml > >>>>>located in /etc/libvirt/nwfilter/: > >>>>> > >>>>><filter name='isolatedprivatevlan-vdsm' chain='root'> > >>>>> <filterref filter='clean-traffic'/> > >>>>> <rule action='drop' direction='out' priority='500'> > >>>>> <mac match='no' dstmacaddr='$GATEWAY_MAC'/> > >>>>> </rule> > >>>>></filter> > >>>>> > >>>>Try this one -- it works in 'my' subnet: > >>>> > >>>><filter name='isolatedprivatevlan-vdsm' chain='ipv4'> > >>>> <filterref filter='clean-traffic'/> > >>>> <rule action='drop' direction='out' priority='10'> > >>>> <mac match='no' dstmacaddr='$GATEWAY_MAC'/> > >>>> </rule> > >>>></filter> > >>>Thanks, > >>>Now it is blocking the traffic but I can't get traffic to the gateway as > >>>well... > >>That's odd. Can you ping the gateway from the VM? Is it typically > >>ping-able? Are you sure you specified the correct MAC addresses -- > >>check with 'arp -n' on a host in the same subnet and see what it > >>shows for the gateway (ping it if you don't see an entry). > >> > >> Stefan > >It's working only when I remove the line > > <filterref filter='clean-traffic'/> > >from the filter... > > > While you ping the gateway, can you re-add the above line to the filter? > > Stefan its working, even when stopping the ping and re-pinging the gateway, but it stop working after I stop and started the VM. -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list