← Back to team overview

openstack team mailing list archive

Re: confused about libvirt nwfilter and iptables rules


The original implementation of this filtering used only nwfilter. Due
to shortcomings in nwfilter in libvirt and netfilter in the Linux
kernel, this turned out not to work very well at all, so an alternate
implementation using raw iptables was added. This is now the default.
However, nwfilter works excellently at protecting against MAC
spoofing, ARP spoofing and IP spoofing, so we still use it for that.

Does that help?

2012/2/7 heut2008 <heut2008@xxxxxxxxx>:
> hi,all:
>           I am confued about how security  rules works ,i read the
>  /nova/virt/libvirt/firewall.py  and /nova/network/linux_net.py ,
> my understanding is when create or change a  security  rule ,the process is
> as below.
> reuqest to  nova osapi->update db  for the rule->call method
>  trigger_security_group_rules_refresh()->rpc.cast to all reletave compute
> node.
> ->call refresh_security_group_rules(),it seems
> that refresh_security_group_rules get the rule from the db and use libvirt
> to define the rules.
> but how  iptables are invoked to create rules  "like nova-compute-inst-22".
> anther question is  libvirt defines  nova-base-filter which allow any
> packets out and drop all packets  in ,but it does not used by the instance
> nwfilter.
> the instance nwfilter only has no-mac-spoofing
> ,no-arp-spoofing,no-ip-spoofing ,and allow-dhcp-server filter.
> if I misunderstand some thing ,please correct me ,thks .
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp

Soren Hansen        | http://linux2go.dk/
Ubuntu Developer    | http://www.ubuntu.com/
OpenStack Developer | http://www.openstack.org/