[libvirt] ideas for custom iptables rules for libvirt networks.
Daniel P. Berrange
berrange at redhat.com
Tue Apr 26 08:15:32 UTC 2016
On Mon, Apr 25, 2016 at 01:48:49PM -0400, Laine Stump wrote:
> We still periodically get requests to allow custom iptables rules for
> libvirt virtual networks (or, more commonly, a mode where libvirt simply
> leaves iptables alone, not adding or removing anything), and it's been a
> nagging item on my to-do list for a very long time. The problem is that,
> although the amount of code required to support *any* solution is very
> small, it's one of those things without a single obvious "only" way to do
> it. Anyway, I'm going to take one more stab at it.
>
>
> First, some background points:
>
> * For <forward mode='nat'> libvirt's iptables rules are essential to the
> operation of the forwarding, so we shouldn't mess with that.
>
> * For [no forward mode], libvirt's iptables rules are a part of what keeps
> the network isolated from the rest of the network, so we shouldn't mess with
> that either.
>
> * For <forward mode='route'> we currently allow all outgoing and incoming as
> long as it is to/from the IP address range defined for the network.
>
> So we really want something that can be used only for <forward mode='route'>
>
> I can see 3 different possibilities:
>
> 1) a new forward mode which is just like 'route', but doesn't add any
> iptables rules. (what to call it though? "filterless-route"? Too long and
> ugly :-/)
I'd suggest this and just call it mode='bare' or mode='open', to avoid
implying any specific semantics about the connectivity.
> 2) a new attribute to <forward> that takes effect only for mode='route'.
> Maybe call it "filter". We could have "filter='open'" (what it does
> currently, and will remain the default), "filter='outgoingOnly'", and
> "filter='none' (the most requested functionality - no iptables rules would
> be added for the network)
>
> 3) add a <filter> subelement to <forward> that allows specifying iptables
> rules for the network. Perhaps this could instead be a <filterref>, and use
> nwfilter to specify the rules? (that sounds really cool, and if it worked it
> would be a nice re-use of the nwfilter driver, but it may have undetermined
> pitfalls due to nwfilter being designed with guest traffic filtering in
> mind, would take a lot more work, and wouldn't address the most common
> request - "Don't mess with iptables! I want to do it myself!".
>
> Anyone have an opinion or alternate idea?
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvir-list
mailing list