On Fri, 2009-02-06 at 13:36 -0500, Karl Wirth wrote: > What if we could flexibly change the iptables rules for the different > guests as they are deployed onto the node/host. The idea would be to do > all of this within the iptables of the host leaving alone the iptables > of the guests themselves. The first issue with this is that the host does not know the IP addresses in use by the guests; it might be possible to work around that with setting up rules matching on bridge ports in some cases. Secondly, network devices may be directly assigned to guests - in that case, we won't even see any of the packets the guest sends or receives. I also don't see how you can implement that in the general case, given what a management nightmare iptables is. The trouble is that in a general libvirt installation, we could have arbitrary iptables rules in effect that are not controlled by libvirt. To reliably say, for example, that we reliably block all ports for VM x, we'd either need to understand all the existing iptables rules, or insert our rules first in the appropriate chains and be confident that they will never conflict with any other manually set up rules. It would be nice to do this, to offer an additional layer of security, especially around insecure OS's; to pull that off in practice, you'd need to assume fairly tight control of the host (e.g., only use shared network interfaces, only deal with iptables rules set up by a known application) With that, iptables management belongs into a higher-level management app, like ovirt, not libvirt. David -- Libvir-list mailing list Libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list