[libvirt] iptables and libvirt
Karl Wirth
kwirth at redhat.com
Fri Feb 13 15:12:32 UTC 2009
Daniel P. Berrange wrote:
> Actually I believe Karl's use case is that the host explicitly *does*
> know the IP the guest is /supposed/ to be using, and wants to prevent
> it spoofing someone else's IP.
>
Yes. This is what I was thinking.
> I agree with your general point though, that when trying this in a general
> purpose OS deployment I don't think you can provide sufficient guarentees
> from a libvirt POV. There are simply too many other things that may break
> or otherwise badly interact with the iptables rules we're adding. At the
> very simplest level, 'service iptables restart' messes things up.
>
> In the context of a controlled host image, like the oVirt managed node,
> the mgmt app is in control of the host OS, and in such a scenario it
> may be practical for libvirt to add iptables rules for guests.
>
I was thinking of a fully managed node.
Thanks for this feedback.
More information about the libvir-list
mailing list