[ https://issues.apache.org/jira/browse/CLOUDSTACK-1164?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15085630#comment-15085630 ]
Wido den Hollander commented on CLOUDSTACK-1164: ------------------------------------------------ Recently I've been testing with this and from what I can see now it should be able to replace the current KVM security grouping. A simple network filter like this already works fine: https://gist.github.com/wido/c2d20dcec770973f4e2e <filter name='network_filter_1' chain='ipv4' priority='-700'> <uuid>64b80046-9a9d-40c2-8782-ed5878146262</uuid> <rule action='drop' direction='out' priority='500'> <mac match='no' srcmacaddr='52:54:00:01:ad:9d'/> </rule> <rule action='return' direction='out' priority='500'> <ip srcipaddr='192.168.100.101'/> </rule> <rule action='return' direction='out' priority='501'> <ip srcipaddr='192.168.100.201'/> </rule> <rule action='return' direction='out' priority='502'> <ip srcipaddr='10.0.0.0' srcipmask='24'/> </rule> <rule action='drop' direction='out' priority='1000'/> <rule action='accept' direction='in' priority='500'> <icmp/> </rule> <rule action='accept' direction='in' priority='500'> <tcp dstportstart='22'/> </rule> <rule action='accept' direction='in' priority='500'> <tcp dstportstart='80'/> </rule> <rule action='accept' direction='in' priority='500'> <tcp dstportstart='443'/> </rule> <rule action='drop' direction='in' priority='1000'> <all/> </rule> </filter> Something to keep in mind since filters can be reload on the fly just like security grouping right now. > Use libvirt for security groups for KVM > --------------------------------------- > > Key: CLOUDSTACK-1164 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-1164 > Project: CloudStack > Issue Type: Wish > Security Level: Public(Anyone can view this level - this is the > default.) > Components: Hypervisor Controller, KVM > Affects Versions: 4.0.0, 4.1.0 > Reporter: Wido den Hollander > Labels: kvm, libvirt, security-groups > Fix For: Future > > > The current implementation for the security groups uses a custom Python > script which applies iptable and ebtable rules to the hypervisor. > Libvirt also supports this with network filters: > http://libvirt.org/formatnwfilter.html > It might be cleaner to do this via libvirt, but the downside is that a lot of > functions are only supported by libvirt 0.9.8 and higher. > This might not be possible at this moment, but it might be worth a shot at a > later stadium. -- This message was sent by Atlassian JIRA (v6.3.4#6332)