Re: [libvirt] [RFC] Proposal for introduction of network traffic filtering capabilities for filtering of network traffic from and to VMs
>
> The feature looks interesting ! It looks it should be applicable to
> at least qemu and xen, I'm not so sure about LXC or VirtualBox, and
> looks unlikely for VMWare unless they have a matching capability (might
> be possible since it's based at least partly on DMTF).
It would work with any technology that uses an ethernet interface in
the host, i.e., a tap or backend interface, through which all the VM's
network
traffic passes. All firewall rules would be conditioned on the VM's
interface
name and jump into a VM-specific rules tree.
As for VirtualBox, since it is Qemu based and probably has a tap
interface,
this should also work. I have never used LXC, so I cannot say much about
it,
but it would also require a network interface in the host onto which
ebtables and iptables could condition their rules on
(ebtables -A ... -i <tap interface name> ...).
It should be applicable to lx. LXC networking
(http://lxc.sourceforge.net/network/configuration.php) can be setup using virtual
interfaces and bridge.
I believe for VMware one would need to write a backend that can translate from
this xml to the VMware APIs. The xml spec can stay the same since as you
note it is derived from DMTF (and what is already supported in physical
switches).
Vivek
__
Vivek Kashyap
Linux Technology Center, IBM