[libvirt] [RFC] Proposal for introduction of network traffic filtering capabilities for filtering of network traffic from and to VMs

Dimitrios Pendarakis dimitris at us.ibm.com
Thu Jan 14 00:09:02 UTC 2010


Note that this is the case for the standard VMware ESX vSwitch. However,
the Cisco Nexus 1000v,
which is an optional virtual switch for ESX, does appear to provide (guest)
VM firewall capabilities.
See for example the section on "isolation and protection" and ACLs in the
link below:

http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9902/dmz_virtualization_vsphere4_nexus1000V.pdf

In terms of interfaces, the 1000v claims a CLI (likely similar to physical
Cisco switches), support for SNMP
and an XML API.

Thanks,
Dimitrios


                                                                                                      
  From:       Matthias Bolte <matthias.bolte at googlemail.com>                                          
                                                                                                      
  To:         Stefan Berger/Watson/IBM at IBMUS                                                          
                                                                                                      
  Cc:         Gerhard Stenzel <gerhard.stenzel at de.ibm.com>, libvir-list at redhat.com, Vivek             
              Kashyap/Beaverton/IBM at IBMUS                                                             
                                                                                                      
  Date:       01/13/2010 05:43 PM                                                                     
                                                                                                      
  Subject:    Re: [libvirt] [RFC] Proposal for introduction of network traffic	filtering             
              capabilities for filtering of network traffic from	and to VMs                        
                                                                                                      
  Sent by:    libvir-list-bounces at redhat.com                                                          
                                                                                                      





2010/1/13 Stefan Berger <stefanb at us.ibm.com>:
>
> Daniel Veillard <veillard at redhat.com> wrote on 01/13/2010 12:03:22 PM:
>
>> On Mon, Jan 11, 2010 at 12:55:27PM -0500, Stefan Berger wrote:
>> > Hello!
>> >
> [...]
[...]
>> other case of limitiations could be found. Also this may not map well
>> for other kind of hypervisors like VMWare, right ?
>
> I don't know much about the API that VMWare is exposing. Maybe only a
> certain subset of what would be possible with this XML could be applied
> to their API, if such functionality exist. Otherwise, if libvirt
> can run ebtables and iptables commands on their management VM and
> all traffic passes through VM=specific network interface (tap) in that
VM,
> it *should* work as well.

VMware ESX hosts allow to configure the host level firewall via the
remote VI API. But AFAIK there is no virtual machine level firewall.

You're not supposed to do something like that in the service console,
doing anything in the service console is not supported in general.
Also there is no libvirtd in the service console because of that and
because it is not necessary. The ESX driver does everything using the
remote VI API.

Matthias

--
libvir-list mailing list
libvir-list at redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20100113/3881bd55/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20100113/3881bd55/attachment-0002.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ecblank.gif
Type: image/gif
Size: 45 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20100113/3881bd55/attachment-0003.gif>


More information about the libvir-list mailing list