Re: [libvirt] iptables and libvirt
On Fri, Feb 06, 2009 at 01:36:23PM -0500, Karl Wirth wrote:
Hi,
I would like your feedback on the following idea.
What if we could flexibly change the iptables rules for the different
guests as they are deployed onto the node/host. The idea would be to do
all of this within the iptables of the host leaving alone the iptables
of the guests themselves.
Here are some specifics:
- Physical systems typically isolated using firewalls protecting well
known ports.
- With virt, on shared physical device, use a bridge to give full LAN
access to vm
- Or a virtual network which is an isolated bridge with no physical
connection. Guest can talk to each other directly. Only NAT'd outbound.
- The idea is to eventually make it easy to centrally set up iptable
rules for guests that are applied in the host iptables.
- We would have to be able to migrate the iptables rules and the state
data with vm as it moves
These bullet points don't really state any clear goal / requirement.
My first assumption is that you're looking for a way to stop a guest
using another guests IP address. So called 'ip address anti-spoofing'
in Xen terminology. You'd also need to prevent a guest spoofing another
guest's MAC address for this to be worthwhile. Which comes down to
a matter of adding iptables, ip6tables and ebtables rules against
the TAP device i guess.
Controlling guest <-> guest traffic as you mention below, becomes alot
more complex problem because you're considering interactions between
guests' TAP devices, and not just adding rules to control stuff coming
in & out of a single TAP device.
The benefits of this would be we could:
- Create networking controls that provide same isolation as physical systems
- Control which VMs can talk to which others
This has rather alot of overlap with the stated goals of the sVirt
project, though I don't think that explicitly addresses networking,
mostly disk / host OS resources.
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|