Backlog #1225

Flexible firewall definition and dynamic behavior

Added by Ruben S. Montero over 8 years ago. Updated over 2 years ago.

Status:ClosedStart date:05/13/2013
Priority:HighDue date:
Assignee:-% Done:

100%

Category:Core & System
Target version:-

Description

This issue is to add the possibility to define more complex filtering rules, that include outgoing/incoming traffic, source/destination IPs...

These filters will be stored to be reused in different networks, similar to the EC2 security groups.

Also the filters could be updated on-the-fly

networkfilter.diff Magnifier (98.5 KB) Anonymous, 04/17/2012 07:56 AM


Subtasks

Feature #2033: Improve firewalling rules for OpenvSwitch Closed

Backlog #2396: Improve firewall.rb driverClosed

History

#1 Updated by Anonymous about 8 years ago

Here is a diff file created with "svn diff".

It contains the modifications for the oned daemon, the onenetworkfilter cli command and the sunstone object model.
(It should only contain the networkfilter changes. My apologies if something else crept in.)

It does not contain the netfilter sunstone plugin and the modified sunstone template plugin.
I'll need a bit more time to isolate only the filter related changes in those files. Should be done by the end of the week.

At this point, the code does not allow for on-the-fly changes. The filter parameters are set in the deployment file which is used by libvirt to start the VM. Since opennebula at this time does not have an api to make live changes to a libvirt/kvm domain, he filter cannot be modified live.

The Netfilter code in this patch works with a libvirt "nwfilter" that needs to be present in the libvirt environment. Just like the clear-traffic filter works now. The code in this patch does not make any assumptions about the netfilter that will be used, it simply puts the parameters in the NIC section in the deployeent file.

The sunstone plugin for creating te netfilter is where the specific form of the parameters are defined.
More info on this when I attache the plugin file(s).

Please do let me know if you want me to change things!

#2 Updated by Anonymous about 8 years ago

For completeness sake: this patch is pased on Opennebula 3.2.1

wkr,

Jhon

#3 Updated by Jaime Melis about 8 years ago

Thanks Jhon for uploading this.

#4 Updated by Ruben S. Montero almost 8 years ago

  • Target version deleted (Release 3.8)

#5 Updated by Ruben S. Montero about 7 years ago

  • Tracker changed from Feature to Backlog
  • Assignee deleted (Jaime Melis)

#6 Updated by Ruben S. Montero about 7 years ago

  • Priority changed from Normal to Low

#7 Updated by Ruben S. Montero about 7 years ago

  • Status changed from New to Pending

#8 Updated by Ruben S. Montero over 6 years ago

  • Priority changed from Low to High

#9 Updated by Ruben S. Montero over 6 years ago

  • Tracker changed from Backlog to Feature

#10 Updated by Ruben S. Montero over 6 years ago

  • Status changed from Pending to New

#11 Updated by Ruben S. Montero over 6 years ago

  • Target version set to Release 4.6

#12 Updated by Ruben S. Montero over 6 years ago

  • Tracker changed from Feature to Backlog
  • Status changed from New to Pending
  • Target version deleted (Release 4.6)

#13 Updated by Ruben S. Montero over 5 years ago

  • Status changed from Pending to Closed

This is the security groups feature in 4.12

Also available in: Atom PDF