[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] iptables and libvirt



On Fri, Feb 06, 2009 at 01:36:23PM -0500, Karl Wirth wrote:
> Hi,
> 
> I would like your feedback on the following idea. 
> 
> What if we could flexibly change the iptables rules for the different
> guests as they are deployed onto the node/host.  The idea would be to do
> all of this within the iptables of the host leaving alone the iptables
> of the guests themselves.
> 
> Here are some specifics:
> - Physical systems typically isolated using firewalls protecting well
> known ports.
> - With virt, on shared physical device, use a bridge to give full LAN
> access to vm
> - Or a virtual network which is an isolated bridge with no physical
> connection.  Guest can talk to each other directly.  Only NAT'd outbound.
> - The idea is to eventually make it easy to centrally set up iptable
> rules for guests that are applied in the host iptables.
> - We would have to be able to migrate the iptables rules and the state
> data with vm as it moves

These bullet points don't really state any clear goal / requirement.

My first assumption is that you're looking for a way to stop a guest 
using another guests IP address. So called 'ip address anti-spoofing'
in Xen terminology.  You'd also need to prevent a guest spoofing another
guest's MAC address for this to be worthwhile. Which comes down to
a matter of adding iptables, ip6tables and ebtables rules against
the TAP device i guess.

Controlling guest <-> guest traffic as you mention below, becomes alot
more complex problem because you're considering interactions between
guests' TAP devices, and not just adding rules to control stuff coming
in & out of a single TAP device.

> The benefits of this would be we could:
> - Create networking controls that provide same isolation as physical systems
> - Control which VMs can talk to which others

This has rather alot of overlap with the stated goals of the sVirt
project, though I don't think that explicitly addresses networking,
mostly disk / host OS resources.


Daniel
-- 
|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]