[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] iptables and libvirt



One way to do this is to place a tiny VM (static kernel+very small initramfs [uClibc+busybox+iptables+dnsmasq]) between VM clusters and the host, rather than giving the host an IP on each cluster's bridge directly. The tool that launches it (via libvirt) appends extra files to the initramfs giving iptables rules to be run. I use this "virtual router" to NETMAP multiple clouds of VMs which all think they're using the same network space (say, 192.168.0.0/24) onto different subnets (say, 192.168.1.x and 192.168.2.x for the first two clusters), but also have added support for redirecting connections intended for specific targets to elsewhere, overriding DNS results for specific hosts, and other miscellaneous utility functions.

Using a separate VM rather than iptables rules on the host was necessary in my use case because doing symmetrical NETMAP properly requires packets from the host to the clients to pass through the PREROUTING table -- which packets generated within a given host don't do.


If anyone (libvirt/oVirt/whomever) is interested in incorporating this into their project (even as an entry in a contrib repository), let me know; I can't distribute binaries without going through some pain and suffering (setting up a SKU with my employer to ship a CD with sources to the kernel and the GPLed components of the initrd), but providing it in source form as a minor patch to someone else's project (and this *is* actually implemented in very little code -- a mixture of Python and busybox-friendly shell scripts totaling under 500 lines, so the "minor" label applies) should be clear sailing.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]