On Fri, Feb 06, 2009 at 01:36:23PM -0500, Karl Wirth wrote: > Hi, > > I would like your feedback on the following idea. > > What if we could flexibly change the iptables rules for the different > guests as they are deployed onto the node/host. The idea would be to do > all of this within the iptables of the host leaving alone the iptables > of the guests themselves. > > Here are some specifics: > - Physical systems typically isolated using firewalls protecting well > known ports. > - With virt, on shared physical device, use a bridge to give full LAN > access to vm > - Or a virtual network which is an isolated bridge with no physical > connection. Guest can talk to each other directly. Only NAT'd outbound. > - The idea is to eventually make it easy to centrally set up iptable > rules for guests that are applied in the host iptables. > - We would have to be able to migrate the iptables rules and the state > data with vm as it moves These bullet points don't really state any clear goal / requirement. My first assumption is that you're looking for a way to stop a guest using another guests IP address. So called 'ip address anti-spoofing' in Xen terminology. You'd also need to prevent a guest spoofing another guest's MAC address for this to be worthwhile. Which comes down to a matter of adding iptables, ip6tables and ebtables rules against the TAP device i guess. Controlling guest <-> guest traffic as you mention below, becomes alot more complex problem because you're considering interactions between guests' TAP devices, and not just adding rules to control stuff coming in & out of a single TAP device. > The benefits of this would be we could: > - Create networking controls that provide same isolation as physical systems > - Control which VMs can talk to which others This has rather alot of overlap with the stated goals of the sVirt project, though I don't think that explicitly addresses networking, mostly disk / host OS resources. Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :| -- Libvir-list mailing list Libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list