The nova.virt.libvirt.firewall
Module¶
-
class
IptablesFirewallDriver
(execute=None, **kwargs)¶ Bases:
nova.virt.firewall.IptablesFirewallDriver
-
apply_instance_filter
(instance, network_info)¶ No-op. Everything is done in prepare_instance_filter.
-
instance_filter_exists
(instance, network_info)¶ Check nova-instance-instance-xxx exists.
-
setup_basic_filtering
(instance, network_info)¶ Set up basic NWFilter.
-
unfilter_instance
(instance, network_info)¶
-
-
class
NWFilterFirewall
(host, **kwargs)¶ Bases:
nova.virt.firewall.FirewallDriver
This class implements a network filtering mechanism by using libvirt’s nwfilter. all instances get a filter (“nova-base”) applied. This filter provides some basic security such as protection against MAC spoofing, IP spoofing, and ARP spoofing.
-
apply_instance_filter
(instance, network_info)¶ No-op. Everything is done in prepare_instance_filter.
-
get_base_filter_list
(instance, allow_dhcp)¶ Obtain a list of base filters to apply to an instance. The return value should be a list of strings, each specifying a filter name. Subclasses can override this function to add additional filters as needed. Additional filters added to the list must also be correctly defined within the subclass.
-
instance_filter_exists
(instance, network_info)¶ Check nova-instance-instance-xxx exists.
-
nova_dhcp_filter
()¶ The standard allow-dhcp-server filter is an <ip> one, so it uses ebtables to allow traffic through. Without a corresponding rule in iptables, it’ll get blocked anyway.
-
nova_no_nd_reflection_filter
()¶ This filter protects false positives on IPv6 Duplicate Address Detection(DAD).
-
setup_basic_filtering
(instance, network_info)¶ Set up basic filtering (MAC, IP, and ARP spoofing protection).
-
unfilter_instance
(instance, network_info)¶ Clear out the nwfilter rules.
-