[libvirt] iptables and libvirt
Thomas Woerner
twoerner at redhat.com
Fri Feb 13 18:21:10 UTC 2009
Karl Wirth wrote:
> Hi,
>
> I would like your feedback on the following idea.
>
> What if we could flexibly change the iptables rules for the different
> guests as they are deployed onto the node/host. The idea would be to do
> all of this within the iptables of the host leaving alone the iptables
> of the guests themselves.
>
At first one thing: The firewall setup for EL-5 and EL-6 is using the
same mechanism with accept rules first and reject rules afterwards.
This means that adding an accept rule before the reject rule could open
up the firewall.
> Here are some specifics:
> - Physical systems typically isolated using firewalls protecting well
> known ports.
> - With virt, on shared physical device, use a bridge to give full LAN
> access to vm
> - Or a virtual network which is an isolated bridge with no physical
> connection. Guest can talk to each other directly. Only NAT'd outbound.
> - The idea is to eventually make it easy to centrally set up iptable
> rules for guests that are applied in the host iptables.
> - We would have to be able to migrate the iptables rules and the state
> data with vm as it moves
>
Migration od the state will be a problem for EL-5 and IPv6, because
stateful firewalling in EL-5 is only possible with IPv4. This is due to
using different netfilter interfaces for IPv4 and IPv6.
> The benefits of this would be we could:
> - Create networking controls that provide same isolation as physical systems
> - Control which VMs can talk to which others
>
> Integration option:
> - Integration in virtd because it knows about the guests and their
> network parameters.
>
Some Questions:
1) Should it be a static system with predefined rules or a fully dynamic
system?
2) Will there be a configuration utility for the rules?
3) What do you want to do with user-customized firewalls?
Thanks,
Thomas
More information about the libvir-list
mailing list