The nova.virt.libvirt.firewall Module

class IptablesFirewallDriver(execute=None, **kwargs)

Bases: nova.virt.firewall.IptablesFirewallDriver

apply_instance_filter(instance, network_info)

No-op. Everything is done in prepare_instance_filter.

instance_filter_exists(instance, network_info)

Check nova-instance-instance-xxx exists.

setup_basic_filtering(instance, network_info)

Set up basic NWFilter.

unfilter_instance(instance, network_info)

class NWFilterFirewall(host, **kwargs)

Bases: nova.virt.firewall.FirewallDriver

This class implements a network filtering mechanism by using libvirt’s nwfilter. all instances get a filter (“nova-base”) applied. This filter provides some basic security such as protection against MAC spoofing, IP spoofing, and ARP spoofing.

apply_instance_filter(instance, network_info)

No-op. Everything is done in prepare_instance_filter.

get_base_filter_list(instance, allow_dhcp)

Obtain a list of base filters to apply to an instance. The return value should be a list of strings, each specifying a filter name. Subclasses can override this function to add additional filters as needed. Additional filters added to the list must also be correctly defined within the subclass.

instance_filter_exists(instance, network_info)

Check nova-instance-instance-xxx exists.

nova_dhcp_filter()

The standard allow-dhcp-server filter is an <ip> one, so it uses ebtables to allow traffic through. Without a corresponding rule in iptables, it’ll get blocked anyway.

nova_no_nd_reflection_filter()

This filter protects false positives on IPv6 Duplicate Address Detection(DAD).

setup_basic_filtering(instance, network_info)

Set up basic filtering (MAC, IP, and ARP spoofing protection).

unfilter_instance(instance, network_info)

Clear out the nwfilter rules.