[libvirt] iptables and libvirt

[Charles Duffy]

One way to do this is to place a tiny VM (static kernel+very small 
initramfs [uClibc+busybox+iptables+dnsmasq]) between VM clusters and the 
host, rather than giving the host an IP on each cluster's bridge 
directly. The tool that launches it (via libvirt) appends extra files to 
the initramfs giving iptables rules to be run. I use this "virtual 
router" to NETMAP multiple clouds of VMs which all think they're using 
the same network space (say, 192.168.0.0/24) onto different subnets 
(say, 192.168.1.x and 192.168.2.x for the first two clusters), but also 
have added support for redirecting connections intended for specific 
targets to elsewhere, overriding DNS results for specific hosts, and 
other miscellaneous utility functions.

Using a separate VM rather than iptables rules on the host was necessary 
in my use case because doing symmetrical NETMAP properly requires 
packets from the host to the clients to pass through the PREROUTING 
table -- which packets generated within a given host don't do.


If anyone (libvirt/oVirt/whomever) is interested in incorporating this 
into their project (even as an entry in a contrib repository), let me 
know; I can't distribute binaries without going through some pain and 
suffering (setting up a SKU with my employer to ship a CD with sources 
to the kernel and the GPLed components of the initrd), but providing it 
in source form as a minor patch to someone else's project (and this *is* 
actually implemented in very little code -- a mixture of Python and 
busybox-friendly shell scripts totaling under 500 lines, so the "minor" 
label applies) should be clear sailing.