On Fri, Feb 06, 2009 at 01:36:23PM -0500, Karl Wirth wrote:
Hi,
I would like your feedback on the following idea.
What if we could flexibly change the iptables rules for the different guests as they are deployed onto the node/host. The idea would be to do all of this within the iptables of the host leaving alone the iptables of the guests themselves.
Here are some specifics: - Physical systems typically isolated using firewalls protecting well known ports. - With virt, on shared physical device, use a bridge to give full LAN access to vm - Or a virtual network which is an isolated bridge with no physical connection. Guest can talk to each other directly. Only NAT'd outbound. - The idea is to eventually make it easy to centrally set up iptable rules for guests that are applied in the host iptables. - We would have to be able to migrate the iptables rules and the state data with vm as it moves
These bullet points don't really state any clear goal / requirement. My first assumption is that you're looking for a way to stop a guest using another guests IP address. So called 'ip address anti-spoofing' in Xen terminology. You'd also need to prevent a guest spoofing another guest's MAC address for this to be worthwhile. Which comes down to a matter of adding iptables, ip6tables and ebtables rules against the TAP device i guess. Controlling guest <-> guest traffic as you mention below, becomes alot more complex problem because you're considering interactions between guests' TAP devices, and not just adding rules to control stuff coming in & out of a single TAP device.
The benefits of this would be we could: - Create networking controls that provide same isolation as physical systems - Control which VMs can talk to which others
This has rather alot of overlap with the stated goals of the sVirt project, though I don't think that explicitly addresses networking, mostly disk / host OS resources. Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|