Flexible firewall definition and dynamic behavior
|Core & System
This issue is to add the possibility to define more complex filtering rules, that include outgoing/incoming traffic, source/destination IPs...
These filters will be stored to be reused in different networks, similar to the EC2 security groups.
Also the filters could be updated on-the-fly
#1 Updated by Anonymous about 9 years ago
- File networkfilter.diff added
Here is a diff file created with "svn diff".
It contains the modifications for the oned daemon, the onenetworkfilter cli command and the sunstone object model.
(It should only contain the networkfilter changes. My apologies if something else crept in.)
It does not contain the netfilter sunstone plugin and the modified sunstone template plugin.
I'll need a bit more time to isolate only the filter related changes in those files. Should be done by the end of the week.
At this point, the code does not allow for on-the-fly changes. The filter parameters are set in the deployment file which is used by libvirt to start the VM. Since opennebula at this time does not have an api to make live changes to a libvirt/kvm domain, he filter cannot be modified live.
The Netfilter code in this patch works with a libvirt "nwfilter" that needs to be present in the libvirt environment. Just like the clear-traffic filter works now. The code in this patch does not make any assumptions about the netfilter that will be used, it simply puts the parameters in the NIC section in the deployeent file.
The sunstone plugin for creating te netfilter is where the specific form of the parameters are defined.
More info on this when I attache the plugin file(s).
Please do let me know if you want me to change things!