openstack team mailing list archive
Mailing list archive
confused about libvirt nwfilter and iptables rules
I am confued about how security rules works ,i read the
/nova/virt/libvirt/firewall.py and /nova/network/linux_net.py ,
my understanding is when create or change a security rule ,the process is
reuqest to nova osapi->update db for the rule->call method
trigger_security_group_rules_refresh()->rpc.cast to all reletave compute
->call refresh_security_group_rules(),it seems
that refresh_security_group_rules get the rule from the db and use libvirt
to define the rules.
but how iptables are invoked to create rules "like nova-compute-inst-22".
anther question is libvirt defines nova-base-filter which allow any
packets out and drop all packets in ,but it does not used by the instance
the instance nwfilter only has no-mac-spoofing
,no-arp-spoofing,no-ip-spoofing ,and allow-dhcp-server filter.
if I misunderstand some thing ,please correct me ,thks .