Jayapal (or anyone else),
Where I got so far is adding rules with counters against a certain ipset, e.g.
I add this:
execute("iptables -A " + brfw + "-OUT" + " -m physdev --physdev-is-bridged
--physdev-out " + vif + " -m set --set myipset src")
before
execute("iptables -A " + brfw + "-OUT" + " -m physdev --physdev-is-bridged
--physdev-out " + vif + " -j " + vmchain_default)
And same for IN.
That works, the problem is they do not get removed when VM is stopped. The
removal function does not catch it:
delcmd = """iptables-save | awk '/BF(.*)physdev-is-bridged(.*)%s/ { sub(/-A/,
"-D", $1) ; print }'""" % vmchain
Anyone knows how I could modify or add to that to have it remove my rule as
well?
(not a coder alas)
--
Sent from the Delta quadrant using Borg technology!
Nux!
www.nux.ro
----- Original Message -----
> From: "Nux!" <[email protected]>
> To: [email protected]
> Sent: Friday, 1 April, 2016 13:12:55
> Subject: Re: Hooking into the SecurityGroups
> Thanks a lot Jayapal!
>
> Will, that sounds nice but I have not seen anything like this.
>
> Another interesting thing might be - as Wido suggested - to use libvirt
> filters
> instead of our python scripts and I believe libvirt has it's own way of
> hooking
> stuff into it. Could be another thing to explore, though it sounds like a
> level
> lower than what you're proposing.
>
> Lucian
>
> --
> Sent from the Delta quadrant using Borg technology!
>
> Nux!
> www.nux.ro
>
> ----- Original Message -----
>> From: "Will Stevens" <[email protected]>
>> To: [email protected]
>> Sent: Friday, 1 April, 2016 12:50:16
>> Subject: Re: Hooking into the SecurityGroups
>
>> Slightly off topic, but relevant. Ideally we could easily hook into the
>> event logging and build added logic by simply tying them to specific
>> events. This would limit the hackery and would provide a system that others
>> could use without having to change the core. Has anyone done something like
>> this?
>> On Apr 1, 2016 6:42 AM, "Nux!" <[email protected]> wrote:
>>
>>> Hi,
>>>
>>> I want to hook into the SGs and add a few iptables rules every time a VM
>>> is spawned and delete them when the VM is moved/deleted.
>>> Has anyone done this before? Any pointers before I go and butcher it? :-)
>>>
>>> Lucian
>>>
>>> --
>>> Sent from the Delta quadrant using Borg technology!
>>>
>>> Nux!
> >> www.nux.ro
