[one-users] Libvirt networkfilter firewall implementation for Opennebula
Jaime Melis
jmelis at opennebula.org
Wed Apr 11 07:21:31 PDT 2012
Hello Jhon,
could you open a new feature request in dev.opennebula.org and upload the
code so we can take a look at it?
Thanks,
Jaime
On Wed, Apr 11, 2012 at 4:00 PM, Jaime Melis <jmelis at opennebula.org> wrote:
> Hello Jhon,
>
> First of all congratulations for doing this, it's an absolutely amazing
> contribution. :-) It rocks!
>
> We're in the process of defining the roadmap for OpenNebula 3.6 and we had
> already thought of improving the network management, especifically the
> management of a NIC's firewall while a VM is running (which I think it's a
> rather nifty feature). I think this could fit in nicely with what you've
> done.
>
> Upon a first look on the rationale you have described in your email:
> creating a specific resource in OpenNebula's core to handle network
> filters, creating a CLI command, xml-rpc interfaces, sunstone tab, etc it
> certainly makes a lot of sense to us to do it that way.
>
> There is something that concerns us, though: if we implement this feature
> only through libvirt, probably VMware won't have support and Xen will
> certainly don't. But I think we can call a different action depending on
> each hypervisor, maybe create a new VMM action to setup network filters. So
> in the end, for KVM it will be done exactly how you've done, but we would
> need to implement those actions for the rest of hypervisors. We have to
> look into this, but I think it's feasible.
>
> Anyways we're really interested in this feature!
>
> Thanks again for your serious hacking and for sharing!
>
> Cheers,
> Jaime
>
>
> On Wed, Apr 11, 2012 at 11:24 AM, Jhon Masschelein <
> Jhon.Masschelein at sara.nl> wrote:
>
>> Dear Openenbula users,
>>
>> On our openenbula cloud, we implemented a libvirt netfilter based
>> firewall. First on top of ONE 3.0 and then ported to ONE 3.2.
>>
>> The black&white ports approach that is already present in ONE does not
>> seem to answer to our needs because one cannot specify ip ranges that
>> should be allowed access to certain ports. (Please correct me if I am
>> wrong).
>>
>> Also, because the iptables are apparently set by oneadmin, we fear that
>> we might get into unpredictable situations when we have to manually restart
>> VMs due to, for example, a node crash.
>>
>>
>> Our implementation is based completely on the libvirt netfilters. (
>> http://libvirt.org/**formatnwfilter.html<http://libvirt.org/formatnwfilter.html>
>> )
>> We added a new object called "networkfilter" to the ONE core and
>> implemented the standards onenetworkfiler cli command that does pretty much
>> what you would expect it to do. (It works with the acl/permission system.)
>>
>> A onenetworkfilter is actually just a bunch of parameters that are fed to
>> the NIC specification in the deployment template. By adding a
>> "LIBVIRT_NETWORKFILTER" custom attribute to a vnet, the end result is a
>> network interface that references a libvirt network filter that is
>> populated with the parameters that are included.
>>
>> We are able to force the use of networkfilters on certain networks (the
>> ones that give access to the Internet).
>>
>> Filters can be created using the cli command or xml-rpc and we added a
>> sunstone plugin to allow people to add ip/port rules using a simple gui.
>> (The filter object can work with other variables types like mac adresses,
>> but the sunstone template is limited to ip+port rules.)
>>
>> A screenshot of the sunstone tab can be found at
>> http://tinyurl.com/cpdb5cc . (And of course the "create template" form
>> was made networkfiler-aware.)
>>
>> Since these filters are pure libvirt filters and are therefore set and
>> maintained by libvirt, there is full support for migration, suspending and
>> whatever else libvirt can do with a VM.
>>
>>
>> We would like to know whether there is interest in this feature and
>> whether this is something that could be added to the ONE distribution.
>>
>> We are porting the code to every new ONE release anyway and would have no
>> problem contributing (and maintaining) the code.
>>
>> With kind regards,
>>
>> Jhon
>>
>> --
>> Jhon Masschelein
>> Senior Systeemprogrammeur
>> SARA - HPCV
>>
>> Science Park 140
>> 1098 XG Amsterdam
>> T +31 (0)20 592 8099
>> F +31 (0)20 668 3167
>> M +31 (0)6 4748 9328
>> E jhon.masschelein at sara.nl
>> http://www.sara.nl
>> ______________________________**_________________
>> Users mailing list
>> Users at lists.opennebula.org
>> http://lists.opennebula.org/**listinfo.cgi/users-opennebula.**org<http://lists.opennebula.org/listinfo.cgi/users-opennebula.org>
>>
>
>
>
> --
> Jaime Melis
> Project Engineer
> OpenNebula - The Open Source Toolkit for Cloud Computing
> www.OpenNebula.org | jmelis at opennebula.org
>
--
Jaime Melis
Project Engineer
OpenNebula - The Open Source Toolkit for Cloud Computing
www.OpenNebula.org | jmelis at opennebula.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20120411/1a52f4df/attachment-0002.htm>
More information about the Users
mailing list