[libvirt] iptables and libvirt

Karl Wirth kwirth at redhat.com
Fri Feb 6 18:36:23 UTC 2009


I would like your feedback on the following idea. 

What if we could flexibly change the iptables rules for the different
guests as they are deployed onto the node/host.  The idea would be to do
all of this within the iptables of the host leaving alone the iptables
of the guests themselves.

Here are some specifics:
- Physical systems typically isolated using firewalls protecting well
known ports.
- With virt, on shared physical device, use a bridge to give full LAN
access to vm
- Or a virtual network which is an isolated bridge with no physical
connection.  Guest can talk to each other directly.  Only NAT'd outbound.
- The idea is to eventually make it easy to centrally set up iptable
rules for guests that are applied in the host iptables.
- We would have to be able to migrate the iptables rules and the state
data with vm as it moves

The benefits of this would be we could:
- Create networking controls that provide same isolation as physical systems
- Control which VMs can talk to which others

Integration option:
- Integration in virtd because it knows about the guests and their
network parameters.

Thanks for your feedback. 

Best regards,

More information about the libvir-list mailing list