[libvirt] the case for volatile nwfilters
Dan Kenigsberg
danken at redhat.com
Tue Oct 29 16:33:52 UTC 2013
I'd like oVirt to make a more extensive usage of libvirt's nwfilters in
order to implement security groups, i.e. which protocol/port/host should
be open on an interface.
Since oVirt is cetrally-managed by ovirt-engine, filter definitions
should be edited there and kept in its database. However, libivrt's
domain xml requires to have a locally-defined filter as well:
<devices>
<interface type='bridge'>
<filterref filter='filter-name'/>
</interface>
</devices>
We can leave with it by defining an ad-hoc filter before staring a VM,
deleting it after the VM stops, and collecting garbage (due to system
crashes) occasionally.
It would be nicer if we could instead have just-in-time filter
definition such as
<devices>
<interface type='bridge'>
<filter name='nameless'>
<rule/>
<rule/>
<rule/>
</filter>
</interface>
</devices>
avoiding nwfilter persistence. Would something like this be beneficial
to other libvirt users? Would it be easy to implement within libvirt?
Regards,
Dan.
More information about the libvir-list
mailing list