[one-users] Integration with libvirt Network Filter
Shi Jin
jinzishuai at gmail.com
Tue Mar 1 10:18:11 PST 2011
Hi there,
So far, we have been using ebtables/iptables running as hooks to enforce
firewall rules on the VMs.
The new libvirt (such as the one in RHEL-6) supports network filter built
into libvirt itself [1] and I think this is a much cleaner way to do it.
I wonder if there is any plan to integrate this new libvirt feature into
OpenNebula. I think the actual association of network filters can still be
done by hooks if a full firewall feature from OpenNebula is too much to ask
for in the short while. But we still require some small additions to the
OpenNebula code in order to implement it by hooks. For example, if we want
to use the no-ip-spoofing nwfilter, the IP address need to be defined in the
virtual NIC interface of the VM while currently we only have the mac
address information. It should be a very straightforward process to add and
I am very happy to contribute my code.
Should we start a feature request (it may have many sub features) and build
from there?
Thanks.
Shi
[1] http://libvirt.org/firewall.html
--
Shi Jin, Ph.D.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20110301/b1218165/attachment-0001.htm>
More information about the Users
mailing list