[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: [libvirt] iptables and libvirt

From: Karl Wirth <kwirth redhat com>
To: "Daniel P. Berrange" <berrange redhat com>
Cc: libvir-list <libvir-list redhat com>
Subject: Re: [libvirt] iptables and libvirt
Date: Fri, 13 Feb 2009 10:12:32 -0500

Daniel P. Berrange wrote:
> Actually I believe Karl's use case is that the host explicitly *does*
> know the IP the guest is /supposed/ to be using, and wants to prevent
> it spoofing someone else's IP.
>   
Yes.  This is what I was thinking.
> I agree with your general point though, that when trying this in a general
> purpose OS deployment I don't think you can provide sufficient guarentees
> from a libvirt POV. There are simply too many other things that may break
> or otherwise badly interact with the iptables rules we're adding. At the
> very simplest level, 'service iptables restart' messes things up.
>
> In the context of a controlled host image, like the oVirt managed node,
> the mgmt app is in control of the host OS, and in such a scenario it
> may be practical for libvirt to add iptables rules for guests.
>   
I was thinking of a fully managed node.
Thanks for this feedback.

References:
- [libvirt] iptables and libvirt
  - From: Karl Wirth
- Re: [libvirt] iptables and libvirt
  - From: David Lutterkort
- Re: [libvirt] iptables and libvirt
  - From: Daniel P. Berrange

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]