[libvirt] [RFC] Proposal for introduction of network traffic filtering capabilities for filtering of network traffic from and to VMs
Daniel P. Berrange
berrange at redhat.com
Thu Feb 4 13:40:57 UTC 2010
On Thu, Feb 04, 2010 at 01:07:59PM +0100, Gerhard Stenzel wrote:
> On Mon, 2010-01-25 at 14:59 +0000, Daniel P. Berrange wrote:
> > The shear size of the ruleset inside the <interface> element is
> > rather alarming to me. Imagine if you have a guest with more
> > than one NIC. I'm inclined to suggest that the <interface>
> > element in the domain XML description should only have a single
> > rule
> >
> > <filter name='BLAH'/>
> >
> > and if apps wish to construct a filter, from multiple independant
> > sub-filters, then that should be done against the filter object's
> > config, rather than the domain object's config.
>
> Daniel,
> we could achieve something similar with the following construct:
>
> <xi:include href="demofilter.xml"
> xmlns:xi="http://www.w3.org/2001/XInclude"/>
>
> This would also have the advantage that the filter rules do not clutter
> up the domain xml, but the migration of the rules might be simpler to
> implement.
> What is your thinking about this approach?
This addresses the problem from the public facing XML point of view, but
not from the internal implementation. If we have an explicitly separate
filter that can be referenced from multiple places, then the internal
libvirt implmentation can optimize this to only create 1 set of iptables
rules that are used to apply to all guests referencing the filter. If
by constrast you do the includes at the XML document level, then the
internal implementation cannot practically use a shared set of rules
and so you'll end up with the same rulesets having to be duplicated in
iptables for each guest, which could cause scalability limitations
Regards,
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
More information about the libvir-list
mailing list