Shahar Havivi <[email protected]> wrote on 06/20/2011 07:39:35 AM: > From: Shahar Havivi <[email protected]> > To: [email protected] > Cc: Stefan Berger/Watson/IBM@IBMUS > Date: 06/20/2011 07:42 AM > Subject: nwfilter: limit VM traffic to specific MAC > > Hi, > I am trying to add custom filter to block VM traffic to other VMs by limiting > the traffic only to the gateways MAC address. > The filter XML: > > <filter name='rhev' chain='root'> > <uuid>cd4e5890-ccc9-1b0f-303f-e7fe7123646d</uuid> > <filterref filter='allow-dhcp'/> > <rule action='drop' direction='out' priority='500'> > <mac match='no' dstmacaddr='$MAC'/> > </rule> > </filter>
> > The MAC is not the interface MAC address it's the gateways MAC that pass as a > parameter (I use the gateway address hardcoded as well). > > The VM is getting DHCP ip but cannot get any traffic, > I notice that when I edit (comment and uncomment) the drop rule, thefilter is > working fine, ie no traffic other then the gateway. > > 1. Am I doing something wrong? Try to put the concret MAC address of the gateway into the dstmacaddr field. $MAC is going to be translated to the MAC address of the interface. Once it works, try using $GATEWAY_MAC and have that defined via <parameter name='GATEWAY_MAC' value='a.b.c.d'/> from wherever you are referencing the 'rhev' filter. The DHCP server must be running on the gateway. > 1. What is the table name that libvirt use for ebtables? It's the 'nat' table : 'ebtables -t nat -L' shows you the resulting rules. Stefan > > Shahar.
-- libvir-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/libvir-list
