[jira] [Commented] (CLOUDSTACK-1164) Use libvirt for security groups for KVM

Wed, 06 Jan 2016 07:08:49 -0800 

    [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-1164?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15085630#comment-15085630
 ] 

Wido den Hollander commented on CLOUDSTACK-1164:
------------------------------------------------

Recently I've been testing with this and from what I can see now it should be 
able to replace the current KVM security grouping.

A simple network filter like this already works fine: 
https://gist.github.com/wido/c2d20dcec770973f4e2e

<filter name='network_filter_1' chain='ipv4' priority='-700'>
  <uuid>64b80046-9a9d-40c2-8782-ed5878146262</uuid>

  <rule action='drop' direction='out' priority='500'>
    <mac match='no' srcmacaddr='52:54:00:01:ad:9d'/>
  </rule>

  <rule action='return' direction='out' priority='500'>
    <ip srcipaddr='192.168.100.101'/>
  </rule>

  <rule action='return' direction='out' priority='501'>
    <ip srcipaddr='192.168.100.201'/>
  </rule>

  <rule action='return' direction='out' priority='502'>
    <ip srcipaddr='10.0.0.0' srcipmask='24'/>
  </rule>

  <rule action='drop' direction='out' priority='1000'/>

  <rule action='accept' direction='in' priority='500'>
    <icmp/>
  </rule>

  <rule action='accept' direction='in' priority='500'>
    <tcp dstportstart='22'/>
  </rule>

  <rule action='accept' direction='in' priority='500'>
    <tcp dstportstart='80'/>
  </rule>

  <rule action='accept' direction='in' priority='500'>
    <tcp dstportstart='443'/>
  </rule>

  <rule action='drop' direction='in' priority='1000'>
    <all/>
  </rule>
</filter>

Something to keep in mind since filters can be reload on the fly just like 
security grouping right now.

> Use libvirt for security groups for KVM
> ---------------------------------------
>
>                 Key: CLOUDSTACK-1164
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-1164
>             Project: CloudStack
>          Issue Type: Wish
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>          Components: Hypervisor Controller, KVM
>    Affects Versions: 4.0.0, 4.1.0
>            Reporter: Wido den Hollander
>              Labels: kvm, libvirt, security-groups
>             Fix For: Future
>
>
> The current implementation for the security groups uses a custom Python 
> script which applies iptable and ebtable rules to the hypervisor.
> Libvirt also supports this with network filters: 
> http://libvirt.org/formatnwfilter.html
> It might be cleaner to do this via libvirt, but the downside is that a lot of 
> functions are only supported by libvirt 0.9.8 and higher.
> This might not be possible at this moment, but it might be worth a shot at a 
> later stadium.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to