Re: [libvirt] iptables and libvirt
Karl Wirth wrote:
Hi,
I would like your feedback on the following idea.
What if we could flexibly change the iptables rules for the different
guests as they are deployed onto the node/host. The idea would be to do
all of this within the iptables of the host leaving alone the iptables
of the guests themselves.
At first one thing: The firewall setup for EL-5 and EL-6 is using the
same mechanism with accept rules first and reject rules afterwards.
This means that adding an accept rule before the reject rule could open
up the firewall.
Here are some specifics:
- Physical systems typically isolated using firewalls protecting well
known ports.
- With virt, on shared physical device, use a bridge to give full LAN
access to vm
- Or a virtual network which is an isolated bridge with no physical
connection. Guest can talk to each other directly. Only NAT'd outbound.
- The idea is to eventually make it easy to centrally set up iptable
rules for guests that are applied in the host iptables.
- We would have to be able to migrate the iptables rules and the state
data with vm as it moves
Migration od the state will be a problem for EL-5 and IPv6, because
stateful firewalling in EL-5 is only possible with IPv4. This is due to
using different netfilter interfaces for IPv4 and IPv6.
The benefits of this would be we could:
- Create networking controls that provide same isolation as physical systems
- Control which VMs can talk to which others
Integration option:
- Integration in virtd because it knows about the guests and their
network parameters.
Some Questions:
1) Should it be a static system with predefined rules or a fully dynamic
system?
2) Will there be a configuration utility for the rules?
3) What do you want to do with user-customized firewalls?
Thanks,
Thomas