On 10.11.11 06:25, Stefan Berger wrote: > On 11/10/2011 05:21 AM, Shahar Havivi wrote: > >On 10.11.11 11:30, Shahar Havivi wrote: > >>On 09.11.11 10:49, Stefan Berger wrote: > >>>On 11/09/2011 09:38 AM, Shahar Havivi wrote: > >>>>On 09.11.11 09:20, Stefan Berger wrote: > >>>>>On 11/09/2011 07:44 AM, Shahar Havivi wrote: > >>>>>>On 09.11.11 06:44, Stefan Berger wrote: > >>>>>>>On 11/09/2011 04:01 AM, Shahar Havivi wrote: > >>>>>>>>On 08.11.11 16:34, Stefan Berger wrote: > >>>>>>>>>On 11/07/2011 04:25 AM, Shahar Havivi wrote: > >>>>>>>>>>Hi, > >>>>>>>>>> > >>>>>>>>>>I want to limit VM traffic to a specific MAC address, ie VMs cannot > >>>>>>>>>>traffic each other other then a specific gateway. > >>>>>>>>>> > >>>>>>>>>>I am using custom nwfilter name: isolatedprivatevlan-vdsm.xml > >>>>>>>>>>located in /etc/libvirt/nwfilter/: > >>>>>>>>>> > >>>>>>>>>><filter name='isolatedprivatevlan-vdsm' chain='root'> > >>>>>>>>>> <filterref filter='clean-traffic'/> > >>>>>>>>>> <rule action='drop' direction='out' priority='500'> > >>>>>>>>>> <mac match='no' dstmacaddr='$GATEWAY_MAC'/> > >>>>>>>>>> </rule> > >>>>>>>>>></filter> > >>>>>>>>>> > >>>>>>>>>Try this one -- it works in 'my' subnet: > >>>>>>>>> > >>>>>>>>><filter name='isolatedprivatevlan-vdsm' chain='ipv4'> > >>>>>>>>> <filterref filter='clean-traffic'/> > >>>>>>>>> <rule action='drop' direction='out' priority='10'> > >>>>>>>>> <mac match='no' dstmacaddr='$GATEWAY_MAC'/> > >>>>>>>>> </rule> > >>>>>>>>></filter> > >>>>>>>>Thanks, > >>>>>>>>Now it is blocking the traffic but I can't get traffic to the gateway as > >>>>>>>>well... > >>>>>>>That's odd. Can you ping the gateway from the VM? Is it typically > >>>>>>>ping-able? Are you sure you specified the correct MAC addresses -- > >>>>>>>check with 'arp -n' on a host in the same subnet and see what it > >>>>>>>shows for the gateway (ping it if you don't see an entry). > >>>>>>> > >>>>>>> Stefan > >>>>>>It's working only when I remove the line > >>>>>> <filterref filter='clean-traffic'/> > >>>>>>from the filter... > >>>>>While you ping the gateway, can you re-add the above line to the filter? > >>>>> > >>>>> Stefan > >>>>its working, even when stopping the ping and re-pinging the gateway, > >>>>but it stop working after I stop and started the VM. > >>>> > >>>How does the VM get its IP address, static or DHCP ? If DHCP, could > >>>you try a static IP address? > >>> > >>>In case it doesn't work, what does 'ebtables -t nat -L' show and > >>>which IP address is assigned to the VM's interface? > >>> > >>> Stefan > >>static ip, the ebtables output show ip 0.0.0.0 for the VM mac address: > >> > >>Bridge chain: I-vnet0-rarp, entries: 2, policy: ACCEPT > >>-p 0x8035 -s 0:1a:4a:16:1:52 -d Broadcast --arp-op Request_Reverse > >>--arp-ip-src 0.0.0.0 --arp-ip-dst 0.0.0.0 --arp-mac-src 0:1a:4a:16:1:52 > >>--arp-mac-dst 0:1a:4a:16:1:52 -j ACCEPT > >>-j DROP > >> > >>Bridge chain: O-vnet0-rarp, entries: 2, policy: ACCEPT > >>-p 0x8035 -d Broadcast --arp-op Request_Reverse --arp-ip-src 0.0.0.0 > >>--arp-ip-dst 0.0.0.0 --arp-mac-src 0:1a:4a:16:1:52 --arp-mac-dst > >>0:1a:4a:16:1:52 -j ACCEPT > >>-j DROP > >> > >> > >>How can I set the IP in the case? > >Ok, > >its working when I set the IP in the filter: > ><filterref filter='clean-traffic'> > > <parameter name='IP' value='10.35.16.50'/> > ></filterref> > > > >I guess its the only solution...? > The IP address in the parameter XML node has to match the one > assigned to the interface inside the VM. If they don't match nothing > works. If you leave out the line '<parameter name=.../>' then this > will start libvirt's IP address learning/detection that will lock > your VM into the first IP address it detects that the VM is using on > a particular interface. This should also work. > > Stefan Thank you Stefan > >>-- > >>libvir-list mailing list > >>libvir-list@xxxxxxxxxx > >>https://www.redhat.com/mailman/listinfo/libvir-list > -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list