cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nux! <...@li.nux.ro>
Subject Re: Hooking into the SecurityGroups
Date Mon, 04 Apr 2016 15:01:01 GMT
Jayapal (or anyone else),

Where I got so far is adding rules with counters against a certain ipset, e.g. I add this:
execute("iptables -A " + brfw + "-OUT" + " -m physdev --physdev-is-bridged --physdev-out "
+ vif + " -m set --set myipset src")
before
execute("iptables -A " + brfw + "-OUT" + " -m physdev --physdev-is-bridged --physdev-out "
+ vif + " -j " + vmchain_default)

And same for IN.

That works, the problem is they do not get removed when VM is stopped. The removal function
does not catch it:
delcmd = """iptables-save | awk '/BF(.*)physdev-is-bridged(.*)%s/ { sub(/-A/, "-D", $1) ;
print }'""" % vmchain

Anyone knows how I could modify or add to that to have it remove my rule as well?

(not a coder alas)

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro

----- Original Message -----
> From: "Nux!" <nux@li.nux.ro>
> To: dev@cloudstack.apache.org
> Sent: Friday, 1 April, 2016 13:12:55
> Subject: Re: Hooking into the SecurityGroups

> Thanks a lot Jayapal!
> 
> Will, that sounds nice but I have not seen anything like this.
> 
> Another interesting thing might be - as Wido suggested - to use libvirt filters
> instead of our python scripts and I believe libvirt has it's own way of hooking
> stuff into it. Could be another thing to explore, though it sounds like a level
> lower than what you're proposing.
> 
> Lucian
> 
> --
> Sent from the Delta quadrant using Borg technology!
> 
> Nux!
> www.nux.ro
> 
> ----- Original Message -----
>> From: "Will Stevens" <williamstevens@gmail.com>
>> To: dev@cloudstack.apache.org
>> Sent: Friday, 1 April, 2016 12:50:16
>> Subject: Re: Hooking into the SecurityGroups
> 
>> Slightly off topic, but relevant. Ideally we could easily hook into the
>> event logging and build added logic by simply tying them to specific
>> events. This would limit the hackery and would provide a system that others
>> could use without having to change the core. Has anyone done something like
>> this?
>> On Apr 1, 2016 6:42 AM, "Nux!" <nux@li.nux.ro> wrote:
>> 
>>> Hi,
>>>
>>> I want to hook into the SGs and add a few iptables rules every time a VM
>>> is spawned and delete them when the VM is moved/deleted.
>>> Has anyone done this before? Any pointers before I go and butcher it? :-)
>>>
>>> Lucian
>>>
>>> --
>>> Sent from the Delta quadrant using Borg technology!
>>>
>>> Nux!
> >> www.nux.ro

Mime
View raw message