[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [RFC] Proposal for introduction of network traffic filtering capabilities for filtering of network traffic from and to VMs




  The feature looks interesting ! It looks it should be applicable to
at least qemu and xen, I'm not so sure about LXC or VirtualBox, and
looks unlikely for VMWare unless they have a matching capability (might
be possible since it's based at least partly on DMTF).

It would work with any technology that uses an ethernet interface in
the host, i.e., a tap or backend interface, through which all the VM's
network
traffic passes. All firewall rules would be conditioned on the VM's
interface
name  and jump into a VM-specific rules tree.

As for VirtualBox, since it is Qemu based and probably has a tap
interface,
this should also work. I have never used LXC, so I cannot say much about
it,
but it would also require a network interface in the host onto which
ebtables and iptables could condition their rules on
(ebtables -A ... -i <tap interface name> ...).

It should be applicable to lx. LXC networking (http://lxc.sourceforge.net/network/configuration.php) can be setup using virtual interfaces and bridge.

I believe for VMware one would need to write a backend that can translate from
this xml to the VMware APIs. The xml spec can stay the same since as you
note it is derived from DMTF (and what is already supported in physical
switches).

Vivek
__

Vivek Kashyap
Linux Technology Center, IBM


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]