External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-09-19 14:10:58 +00:00
Code Issues Packages Projects Releases Wiki Activity
b8e6021e7b
libvirt/docs
History
Stefan Berger a3f3ab4c9c nwfilter: Add support for ipset 
This patch adds support for the recent ipset iptables extension
to libvirt's nwfilter subsystem. Ipset allows to maintain 'sets'
of IP addresses, ports and other packet parameters and allows for
faster lookup (in the order of O(1) vs. O(n)) and rule evaluation
to achieve higher throughput than what can be achieved with
individual iptables rules.

On the command line iptables supports ipset using

iptables ... -m set --match-set <ipset name> <flags> -j ...

where 'ipset name' is the name of a previously created ipset and
flags is a comma-separated list of up to 6 flags. Flags use 'src' and 'dst'
for selecting IP addresses, ports etc. from the source or
destination part of a packet. So a concrete example may look like this:

iptables -A INPUT -m set --match-set test src,src -j ACCEPT

Since ipset management is quite complex, the idea was to leave ipset 
management outside of libvirt but still allow users to reference an ipset.
The user would have to make sure the ipset is available once the VM is
started so that the iptables rule(s) referencing the ipset can be created.

Using XML to describe an ipset in an nwfilter rule would then look as
follows:

  <rule action='accept' direction='in'>
    <all ipset='test' ipsetflags='src,src'/>
  </rule>

The two parameters on the command line are also the two distinct XML attributes
'ipset' and 'ipsetflags'.

FYI: Here is the man page for ipset:

https://ipset.netfilter.org/ipset.man.html

Regards,
    Stefan
2012-05-21 06:26:34 -04:00
..
api_extension xen_xs: name xendConfigVersion magic numbers 2012-02-01 16:28:17 -07:00
devhelp maint: consolidate several .gitignore files 2012-02-03 15:27:16 -07:00
html maint: consolidate several .gitignore files 2012-02-03 15:27:16 -07:00
internals command: allow merging stdout and stderr in string capture 2012-02-03 10:02:34 -07:00
schemas nwfilter: Add support for ipset 2012-05-21 06:26:34 -04:00
32favicon.png
api_extension.html.in
api.html.in
apibuild.py block rebase: add new API virDomainBlockRebase 2012-02-01 15:21:56 -07:00
apps.html.in Added Snooze cloud manager to the IaaS section 2012-05-02 12:20:38 -06:00
archdomain.html.in
architecture.fig Remove trailing whitespace from all xfig files 2011-10-28 10:11:16 +01:00
architecture.gif
architecture.html.in
archnetwork.html.in
archnode.html.in
archstorage.html.in
auth.html.in Use XDG Base Directories instead of storing in home directory 2012-05-14 15:15:58 +01:00
bindings.html.in
bugs.html.in Update bug reporting page 2012-02-23 16:02:33 -07:00
compiling.html.in
contact.html.in
csharp.html.in
deployment.html.in
devguide.html.in
docs.html.in
downloads.html.in
drivers.html.in hyperv: Add basic documentation 2011-08-26 17:52:55 +02:00
drvesx.html.in esx: Support folders in the path of vpx:// connection URIs 2011-11-01 18:45:42 +01:00
drvhyperv.html.in hyperv: Add basic documentation 2011-08-26 17:52:55 +02:00
drvlxc.html.in virterror.c: Fix several spelling mistakes 2012-02-03 11:32:51 -07:00
drvopenvz.html.in docs: fix path to openvz network configuration file 2012-04-16 17:02:08 +02:00
drvqemu.html.in docs: Fix libvirt name in qemu commandline namespace URL 2012-02-28 17:30:30 +01:00
drvremote.html.in
drvtest.html.in
drvuml.html.in
drvvbox.html.in vbox: Support shared folders 2011-10-29 19:50:48 +02:00
drvvmware.html.in
drvxen.html.in
errors.html.in
et.png
firewall.html.in
footer_corner.png
footer_pattern.png
format.html.in
formatcaps.html.in Remove powerMgmt_valid field from capabilities struct 2011-11-30 10:12:30 +00:00
formatdomain.html.in domain: add <codec> sound sub-element 2012-05-17 11:40:11 -06:00
formatnetwork.html.in Minor docs fix 2012-03-19 20:33:30 -04:00
formatnode.html.in npiv: Expose fabric_name outside 2011-12-07 18:42:08 +08:00
formatnwfilter.html.in nwfilter: Add support for ipset 2012-05-21 06:26:34 -04:00
formatsecret.html.in secret: add Ceph secret type 2011-10-28 11:34:17 -06:00
formatsnapshot.html.in snapshot: also support disks by path 2011-09-05 07:03:04 -06:00
formatstorage.html.in storage: support more scaling suffixes 2012-03-07 18:24:43 -07:00
formatstorageencryption.html.in
generic.css
goals.html.in
hacking1.xsl
hacking2.xsl
hacking.html.in Document STREQ_NULLABLE and STRNEQ_NULLABLE 2011-10-06 16:50:38 +02:00
hooks.html.in qemu: Add pre-migration hook 2012-02-29 12:27:12 +01:00
hvsupport.pl
index.html.in hyperv: Add basic documentation 2011-08-26 17:52:55 +02:00
index.py
internals.html.in
intro.html.in
java.html.in
library.xen
libvirt-daemon-arch.fig Remove trailing whitespace from all xfig files 2011-10-28 10:11:16 +01:00
libvirt-daemon-arch.png
libvirt-driver-arch.fig Remove trailing whitespace from all xfig files 2011-10-28 10:11:16 +01:00
libvirt-driver-arch.png
libvirt-header-bg.png
libvirt-header-logo.png
libvirt-net-logical.fig Remove trailing whitespace from all xfig files 2011-10-28 10:11:16 +01:00
libvirt-net-logical.png
libvirt-net-physical.fig Remove trailing whitespace from all xfig files 2011-10-28 10:11:16 +01:00
libvirt-net-physical.png
libvirt-object-model.fig Remove trailing whitespace from all xfig files 2011-10-28 10:11:16 +01:00
libvirt-object-model.png
libvirt.css Add documentation about migration. 2011-10-28 10:07:45 +01:00
libvirtLogo.png
locking.html.in virterror.c: Fix several spelling mistakes 2012-02-03 11:32:51 -07:00
logging.html.in Allow stack traces to be included with log messages 2012-05-15 17:01:40 +01:00
madeWith.png
main.css
Makefile.am build: fix stamp file name 2012-05-11 08:20:34 -06:00
migration-managed-direct.fig Remove trailing whitespace from all xfig files 2011-10-28 10:11:16 +01:00
migration-managed-direct.png Add documentation about migration. 2011-10-28 10:07:45 +01:00
migration-managed-p2p.fig Remove trailing whitespace from all xfig files 2011-10-28 10:11:16 +01:00
migration-managed-p2p.png Add documentation about migration. 2011-10-28 10:07:45 +01:00
migration-native.fig Remove trailing whitespace from all xfig files 2011-10-28 10:11:16 +01:00
migration-native.png Add documentation about migration. 2011-10-28 10:07:45 +01:00
migration-tunnel.fig Remove trailing whitespace from all xfig files 2011-10-28 10:11:16 +01:00
migration-tunnel.png Add documentation about migration. 2011-10-28 10:07:45 +01:00
migration-unmanaged-direct.fig Remove trailing whitespace from all xfig files 2011-10-28 10:11:16 +01:00
migration-unmanaged-direct.png Add documentation about migration. 2011-10-28 10:07:45 +01:00
migration.html.in docs: mention migration issue of which credentials are used 2012-05-10 14:50:39 -06:00
newapi.xsl Improve tokenizing of linkable terms 2011-08-12 07:35:19 -06:00
news.html.in Release of libvirt-0.9.12 2012-05-14 10:52:04 +08:00
news.xsl
node.fig Remove trailing whitespace from all xfig files 2011-10-28 10:11:16 +01:00
node.gif
page.xsl
pending.html.in Web placeholder for pending patches on the web site 2012-04-13 23:57:00 +08:00
php.html.in
python.html.in docs: fix typo in python bindings 2012-02-09 14:28:40 -07:00
relatedlinks.html.in
remote.html.in Change the default of mdns_adv to false 2012-03-27 09:54:49 -06:00
search.php
site.xsl
sitemap.html.in docs: Add 'maintenance releases' link in 'News' sidebar 2012-05-07 10:50:53 -04:00
storage.html.in Add detail to documentation on storage pools and volumes. 2012-02-02 15:51:25 -07:00
structures.fig Remove trailing whitespace from all xfig files 2011-10-28 10:11:16 +01:00
subsite.xsl
testapi.html.in
testsuites.html.in
testtck.html.in
todo.cfg-example
todo.pl
uri.html.in Use XDG Base Directories instead of storing in home directory 2012-05-14 15:15:58 +01:00
virshcmdref.html.in
windows.html.in
wrapstring.xsl