[libvirt] iptables and libvirt

Hi, I would like your feedback on the following idea. What if we could flexibly change the iptables rules for the different guests as they are deployed onto the node/host. The idea would be to do all of this within the iptables of the host leaving alone the iptables of the guests themselves. Here are some specifics: - Physical systems typically isolated using firewalls protecting well known ports. - With virt, on shared physical device, use a bridge to give full LAN access to vm - Or a virtual network which is an isolated bridge with no physical connection. Guest can talk to each other directly. Only NAT'd outbound. - The idea is to eventually make it easy to centrally set up iptable rules for guests that are applied in the host iptables. - We would have to be able to migrate the iptables rules and the state data with vm as it moves The benefits of this would be we could: - Create networking controls that provide same isolation as physical systems - Control which VMs can talk to which others Integration option: - Integration in virtd because it knows about the guests and their network parameters. Thanks for your feedback. Best regards, Karl