← Back to team overview

nova team mailing list archive

Network filtering for libvirt and for non-libvirt hypervisors


I have a spec[1] and a corresponding branch[2] about making basic use of
libvirt's nwfilter support. It basically just adds a snippet to the
libvirt templates that enables a number of network filtering techniques.
Specifically, it prevents MAC spoofing, ARP spoofing, and IP spoofing. I
didn't bother making this configurable, since it seems like the sort of
thing everyone will always want. As such, there's no API call to enable
it, nor is there a setting in the datamodel that enables/disables it.

While this is a great feature to have, it raises a few questions about
the non-libvirt hypervisors.

Ideally, of course, we don't want the choice of hypervisors to affect
the utility of Nova. Lacking decent network filtering IMO limits a cloud
computing platform's utility significantly.

So, what to do? Should we more clearly define the contract to which a
hypervisor driver is meant to adhere and list the above mentioned
spoofing protections as requirements? We could assign specific people as
designated maintainers of the different hypervisor drivers, and make it
their responsibility to make their driver conformant to the contract.

Other suggestions?

I also have another spec[3] and a corresponding branch[4] that
implements EC2 style security groups using libvirt's nwfilter. This is a
bigger chunk of work, but it seems like it should follow the same pattern.

[1]: https://blueprints.launchpad.net/nova/+spec/austin-nwfilter
[2]: https://code.launchpad.net/~soren/nova/nwfilter
[3]: https://blueprints.launchpad.net/nova/+spec/austin-ec2-security-groups
[4]: https://code.launchpad.net/~soren/nova/ec2-security-groups

Soren Hansen
Ubuntu Developer    http://www.ubuntu.com/
OpenStack Developer http://www.openstack.org/

Follow ups