[libvirt] [RFC] Proposal for introduction of network traffic filtering capabilities for filtering of network traffic from and to VMs
Vivek Kashyap
kashyapv at us.ibm.com
Wed Jan 20 07:24:46 UTC 2010
>>
>> The feature looks interesting ! It looks it should be applicable to
>> at least qemu and xen, I'm not so sure about LXC or VirtualBox, and
>> looks unlikely for VMWare unless they have a matching capability (might
>> be possible since it's based at least partly on DMTF).
>
> It would work with any technology that uses an ethernet interface in
> the host, i.e., a tap or backend interface, through which all the VM's
> network
> traffic passes. All firewall rules would be conditioned on the VM's
> interface
> name and jump into a VM-specific rules tree.
>
> As for VirtualBox, since it is Qemu based and probably has a tap
> interface,
> this should also work. I have never used LXC, so I cannot say much about
> it,
> but it would also require a network interface in the host onto which
> ebtables and iptables could condition their rules on
> (ebtables -A ... -i <tap interface name> ...).
It should be applicable to lx. LXC networking (http://lxc.sourceforge.net/network/configuration.php) can be setup using virtual interfaces and bridge.
I believe for VMware one would need to write a backend that can translate from
this xml to the VMware APIs. The xml spec can stay the same since as you
note it is derived from DMTF (and what is already supported in physical
switches).
Vivek
__
Vivek Kashyap
Linux Technology Center, IBM
More information about the libvir-list
mailing list