search

OpenNebula / one

The open source Cloud & Edge Computing Platform bringing real freedom to your Enterprise Cloud 🚀
http://opennebula.io
Apache License 2.0
1.25k stars 483 forks source link

Security Groups Enhancements #5510

Open christian7007 opened 3 years ago

christian7007 commented 3 years ago

Description The current implementation of Security Groups (SG) have to main limitations:

The proposed enhancement is to decouple the SG implementation with the actual switching technology used to implement a Virtual Network (e.g linux bridge or OpenVSwitch). 

+--------------+-------------+
| Linux Bridge |     OVS     |
+--------------+-------------+ --> Connection layer
|     iptables + netns       |
+----------------------------+ --> Firewall layer

This way the functional logic is distributed in two layers:

The workflow will look as below:

  1. The VM is by default connected to the the network bridge, as defined in the network template.
  2. Create a netns for the VM, named after one-<VM_ID>
  3. Remove the VM tap from the network bridge and move this tap to the VM netns
  4. Create a firewall LXB, named after one-br-<VM_ID>-<NIC_ID> in the VM netns
  5. Create a veth to connect the firewall LXB and the Virtual Network bridge. Each pair will be in the VM and Hypervisor network namespaces, respectively.
  6. Attach the VM end of the veth and the VM tap to the firewall LXB.
  7. Attach the Hypervisor end of the veth to the Virtual Network bridge.

Progress Status

pawanthegemini commented 1 year ago

By which version this feature is expected to be released?