I'd like oVirt to make a more extensive usage of libvirt's nwfilters in
order to implement security groups, i.e. which protocol/port/host should
be open on an interface.
Since oVirt is cetrally-managed by ovirt-engine, filter definitions
should be edited there and kept in its database. However, libivrt's
domain xml requires to have a locally-defined filter as well:
<devices>
<interface type='bridge'>
<filterref filter='filter-name'/>
</interface>
</devices>
We can leave with it by defining an ad-hoc filter before staring a VM,
deleting it after the VM stops, and collecting garbage (due to system
crashes) occasionally.
It would be nicer if we could instead have just-in-time filter
definition such as
<devices>
<interface type='bridge'>
<filter name='nameless'>
<rule/>
<rule/>
<rule/>
</filter>
</interface>
</devices>
avoiding nwfilter persistence. Would something like this be beneficial
to other libvirt users? Would it be easy to implement within libvirt?
Regards,
Dan.
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list