netfilter and virtual machines

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



What hooks are relevant, from the standpoint of the host, for traffic
to, from, and between virtual machines?

I suppose the answer might vary with the identity of the other
endpoint, which might be the host itself, another virtual machine,
another machine on my local network or another machine on the public
internet.

I do see https://wiki.nftables.org/wiki-nftables/index.php/Bridge_filtering
on filtering bridges, which I am using.  But would packets on the
bridge go through both the bridge filters and the filters on the
underlying physical device that is part of the bridge?

As an example, a packet comes from outside destined for a VM.  On the
host, does that mean that the forward hook will be triggered, because
it's being passed on to a "different" machine, or the input hook,
since the target is just a process on the host?

The VMs are running under KVM with libvirt, using some bridged
networking and some of libvirts default NAT based virtual networking.
libvirt also has a bunch of options for specifying network filters
https://libvirt.org/formatnwfilter.html; on a quick read they are
about setting up filters inside the VM's.

I also have docker.

Thanks.
Ross Boylan



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux