Re: [libvirt] iptables and libvirt

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2009-02-06 at 13:36 -0500, Karl Wirth wrote:
> What if we could flexibly change the iptables rules for the different
> guests as they are deployed onto the node/host.  The idea would be to do
> all of this within the iptables of the host leaving alone the iptables
> of the guests themselves.

The first issue with this is that the host does not know the IP
addresses in use by the guests; it might be possible to work around that
with setting up rules matching on bridge ports in some cases.

Secondly, network devices may be directly assigned to guests - in that
case, we won't even see any of the packets the guest sends or receives.

I also don't see how you can implement that in the general case, given
what a management nightmare iptables is. The trouble is that in a
general libvirt installation, we could have arbitrary iptables rules in
effect that are not controlled by libvirt. To reliably say, for example,
that we reliably block all ports for VM x, we'd either need to
understand all the existing iptables rules, or insert our rules first in
the appropriate chains and be confident that they will never conflict
with any other manually set up rules.

It would be nice to do this, to offer an additional layer of security,
especially around insecure OS's; to pull that off in practice, you'd
need to assume fairly tight control of the host (e.g., only use shared
network interfaces, only deal with iptables rules set up by a known
application)

With that, iptables management belongs into a higher-level management
app, like ovirt, not libvirt.

David


--
Libvir-list mailing list
Libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]