← Back to team overview

openstack team mailing list archive

confused about libvirt nwfilter and iptables rules


          I am confued about how security  rules works ,i read the
 /nova/virt/libvirt/firewall.py  and /nova/network/linux_net.py ,
my understanding is when create or change a  security  rule ,the process is
as below.
reuqest to  nova osapi->update db  for the rule->call method
 trigger_security_group_rules_refresh()->rpc.cast to all reletave compute
->call refresh_security_group_rules(),it seems
that refresh_security_group_rules get the rule from the db and use libvirt
to define the rules.
but how  iptables are invoked to create rules  "like nova-compute-inst-22".

anther question is  libvirt defines  nova-base-filter which allow any
packets out and drop all packets  in ,but it does not used by the instance
the instance nwfilter only has no-mac-spoofing
,no-arp-spoofing,no-ip-spoofing ,and allow-dhcp-server filter.

if I misunderstand some thing ,please correct me ,thks .

Follow ups