[one-users] Libvirt networkfilter firewall implementation for Opennebula

Jaime Melis jmelis at opennebula.org
Wed Apr 11 07:00:34 PDT 2012 

Hello Jhon,

First of all congratulations for doing this, it's an absolutely amazing
contribution.  :-) It rocks!

We're in the process of defining the roadmap for OpenNebula 3.6 and we had
already thought of improving the network management, especifically the
management of a NIC's firewall while a VM is running (which I think it's a
rather nifty feature). I think this could fit in nicely with what you've
done.

Upon a first look on the rationale you have described in your email:
creating a specific resource in OpenNebula's core to handle network
filters, creating a CLI command, xml-rpc interfaces, sunstone tab, etc it
certainly makes a lot of sense to us to do it that way.

There is something that concerns us, though: if we implement this feature
only through libvirt, probably VMware won't have support and Xen will
certainly don't. But I think we can call a different action depending on
each hypervisor, maybe create a new VMM action to setup network filters. So
in the end, for KVM it will be done exactly how you've done, but we would
need to implement those actions for the rest of hypervisors. We have to
look into this, but I think it's feasible.

Anyways we're really interested in this feature!

Thanks again for your serious hacking and for sharing!

Cheers,
Jaime


On Wed, Apr 11, 2012 at 11:24 AM, Jhon Masschelein <Jhon.Masschelein at sara.nl
> wrote:

> Dear Openenbula users,
>
> On our openenbula cloud, we implemented a libvirt netfilter based
> firewall. First on top of ONE 3.0 and then ported to ONE 3.2.
>
> The black&white ports approach that is already  present in ONE does not
> seem to answer to our needs because one cannot specify ip ranges that
> should be allowed access to certain ports. (Please correct me if I am
> wrong).
>
> Also, because the iptables are apparently set by oneadmin, we fear that we
> might get into unpredictable situations when we have to manually restart
> VMs due to, for example, a node crash.
>
>
> Our implementation is based completely on the libvirt netfilters. (
> http://libvirt.org/**formatnwfilter.html<http://libvirt.org/formatnwfilter.html>
> )
> We added a new object called "networkfilter" to the ONE core and
> implemented the standards onenetworkfiler cli command that does pretty much
> what you would expect it to do. (It works with the acl/permission system.)
>
> A onenetworkfilter is actually just a bunch of parameters that are fed to
> the NIC specification in the deployment template. By adding a
> "LIBVIRT_NETWORKFILTER" custom attribute to a vnet, the end result is a
> network interface that references a libvirt network filter that is
> populated with the parameters that are included.
>
> We are able to force the use of networkfilters on certain networks (the
> ones that give access to the Internet).
>
> Filters can be created using the cli command or xml-rpc and we added a
> sunstone plugin to allow people to add ip/port rules using a simple gui.
> (The filter object can work with other variables types like mac adresses,
> but the sunstone template is limited to ip+port rules.)
>
> A screenshot of the sunstone tab can be found at
> http://tinyurl.com/cpdb5cc . (And of course the "create template" form
> was made networkfiler-aware.)
>
> Since these filters are pure libvirt filters and are therefore set and
> maintained by libvirt, there is full support for migration, suspending and
> whatever else libvirt can do with a VM.
>
>
> We would like to know whether there is interest in this feature and
> whether this is something that could be added to the ONE distribution.
>
> We are porting the code to every new ONE release anyway and would have no
> problem contributing (and maintaining) the code.
>
> With kind regards,
>
> Jhon
>
> --
> Jhon Masschelein
> Senior Systeemprogrammeur
> SARA - HPCV
>
> Science Park 140
> 1098 XG Amsterdam
> T +31 (0)20 592 8099
> F +31 (0)20 668 3167
> M +31 (0)6 4748 9328
> E jhon.masschelein at sara.nl
> http://www.sara.nl
> ______________________________**_________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/**listinfo.cgi/users-opennebula.**org<http://lists.opennebula.org/listinfo.cgi/users-opennebula.org>
>



-- 
Jaime Melis
Project Engineer
OpenNebula - The Open Source Toolkit for Cloud Computing
www.OpenNebula.org | jmelis at opennebula.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20120411/4ab27c8d/attachment-0003.htm>

More information about the Users mailing list