openstack team mailing list archive

Thread
Date

confused about libvirt nwfilter and iptables rules

To: openstack@xxxxxxxxxxxxxxxxxxx
From: heut2008 <heut2008@xxxxxxxxx>
Date: Tue, 7 Feb 2012 10:28:42 +0800

hi,all:
          I am confued about how security  rules works ,i read the
 /nova/virt/libvirt/firewall.py  and /nova/network/linux_net.py ,
my understanding is when create or change a  security  rule ,the process is
as below.
reuqest to  nova osapi->update db  for the rule->call method
 trigger_security_group_rules_refresh()->rpc.cast to all reletave compute
node.
->call refresh_security_group_rules(),it seems
that refresh_security_group_rules get the rule from the db and use libvirt
to define the rules.
but how  iptables are invoked to create rules  "like nova-compute-inst-22".

anther question is  libvirt defines  nova-base-filter which allow any
packets out and drop all packets  in ,but it does not used by the instance
nwfilter.
the instance nwfilter only has no-mac-spoofing
,no-arp-spoofing,no-ip-spoofing ,and allow-dhcp-server filter.

if I misunderstand some thing ,please correct me ,thks .

Follow ups

Re: confused about libvirt nwfilter and iptables rules
From: Soren Hansen, 2012-02-07