nova team mailing list archive
Mailing list archive
Re: Network filtering for libvirt and for non-libvirt hypervisors
On Wed, Sep 15, 2010 at 7:33 AM, Soren Hansen <soren@xxxxxxxxxx> wrote:
> I have a spec and a corresponding branch about making basic use of
> libvirt's nwfilter support. It basically just adds a snippet to the
> libvirt templates that enables a number of network filtering techniques.
> Specifically, it prevents MAC spoofing, ARP spoofing, and IP spoofing. I
> didn't bother making this configurable, since it seems like the sort of
> thing everyone will always want. As such, there's no API call to enable
> it, nor is there a setting in the datamodel that enables/disables it.
\o/ +1 for specs and blueprints :)
> While this is a great feature to have, it raises a few questions about
> the non-libvirt hypervisors.
> Ideally, of course, we don't want the choice of hypervisors to affect
> the utility of Nova. Lacking decent network filtering IMO limits a cloud
> computing platform's utility significantly.
> So, what to do? Should we more clearly define the contract to which a
> hypervisor driver is meant to adhere and list the above mentioned
> spoofing protections as requirements? We could assign specific people as
> designated maintainers of the different hypervisor drivers, and make it
> their responsibility to make their driver conformant to the contract.
Not sure. I'll wait to hear from the vendors on this one.
> Other suggestions?
> I also have another spec and a corresponding branch that
> implements EC2 style security groups using libvirt's nwfilter. This is a
> bigger chunk of work, but it seems like it should follow the same pattern.
> : https://blueprints.launchpad.net/nova/+spec/austin-nwfilter
> : https://code.launchpad.net/~soren/nova/nwfilter
> : https://blueprints.launchpad.net/nova/+spec/austin-ec2-security-groups
> : https://code.launchpad.net/~soren/nova/ec2-security-groups
> Soren Hansen
> Ubuntu Developer http://www.ubuntu.com/
> OpenStack Developer http://www.openstack.org/
> Mailing list: https://launchpad.net/~nova
> Post to : nova@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~nova
> More help : https://help.launchpad.net/ListHelp