[one-users] Libvirt networkfilter firewall implementation for Opennebula

Jhon Masschelein Jhon.Masschelein at Sara.Nl
Wed Apr 11 02:24:36 PDT 2012 

Dear Openenbula users,

On our openenbula cloud, we implemented a libvirt netfilter based 
firewall. First on top of ONE 3.0 and then ported to ONE 3.2.

The black&white ports approach that is already  present in ONE does not 
seem to answer to our needs because one cannot specify ip ranges that 
should be allowed access to certain ports. (Please correct me if I am 
wrong).

Also, because the iptables are apparently set by oneadmin, we fear that 
we might get into unpredictable situations when we have to manually 
restart VMs due to, for example, a node crash.


Our implementation is based completely on the libvirt netfilters. 
(http://libvirt.org/formatnwfilter.html)
We added a new object called "networkfilter" to the ONE core and 
implemented the standards onenetworkfiler cli command that does pretty 
much what you would expect it to do. (It works with the acl/permission 
system.)

A onenetworkfilter is actually just a bunch of parameters that are fed 
to the NIC specification in the deployment template. By adding a 
"LIBVIRT_NETWORKFILTER" custom attribute to a vnet, the end result is a 
network interface that references a libvirt network filter that is 
populated with the parameters that are included.

We are able to force the use of networkfilters on certain networks (the 
ones that give access to the Internet).

Filters can be created using the cli command or xml-rpc and we added a 
sunstone plugin to allow people to add ip/port rules using a simple gui. 
(The filter object can work with other variables types like mac 
adresses, but the sunstone template is limited to ip+port rules.)

A screenshot of the sunstone tab can be found at 
http://tinyurl.com/cpdb5cc . (And of course the "create template" form 
was made networkfiler-aware.)

Since these filters are pure libvirt filters and are therefore set and 
maintained by libvirt, there is full support for migration, suspending 
and whatever else libvirt can do with a VM.


We would like to know whether there is interest in this feature and 
whether this is something that could be added to the ONE distribution.

We are porting the code to every new ONE release anyway and would have 
no problem contributing (and maintaining) the code.

With kind regards,

Jhon

-- 
Jhon Masschelein
Senior Systeemprogrammeur
SARA - HPCV

Science Park 140
1098 XG Amsterdam
T +31 (0)20 592 8099
F +31 (0)20 668 3167
M +31 (0)6 4748 9328
E jhon.masschelein at sara.nl
http://www.sara.nl

More information about the Users mailing list