This resolves issue 12 Public IP isolation

[dimm0]

Isolate public IPs for frontend VMs

[tcooper]

This looks too easy... Can you show us what did you do to test? Can you summarize how this is implemented in the host (i.e. dynamic iptables rules?). If iptables is restarted on the physical host what happens to this configuration? Do we need to add firewall rules to rocks and/or do an iptables-save on the physical host to prevent loss of this setting?

[tcooper]

Yes... please check. If I recall correctly this was one of the gotchas.

[dimm0]

I commented on the bottom in general discussion, otherwise this thread is shown in the code and it's not clear what's happening in the code.

[tcooper]

Please add testing / implementation details into the conversation.

[dimm0]

http://libvirt.org/formatnwfilter.html#nwfexamples

clean-traffic Prevent MAC, IP and ARP spoofing. This filter references several other filters as building blocks.

[root@hpcdev-pub02 ~]# virsh nwfilter-dumpxml clean-traffic
<filter name='clean-traffic' chain='root'>
  <uuid>4fe52ec6-d09b-5fa3-de29-27ad99535191</uuid>
  <filterref filter='no-mac-spoofing'/>
  <filterref filter='no-ip-spoofing'/>
  <rule action='accept' direction='out' priority='-650'>
    <mac protocolid='ipv4'/>
  </rule>
  <filterref filter='allow-incoming-ipv4'/>
  <filterref filter='no-arp-spoofing'/>
  <rule action='accept' direction='inout' priority='-500'>
    <mac protocolid='arp'/>
  </rule>
  <filterref filter='no-other-l2-traffic'/>
  <filterref filter='qemu-announce-self'/>
</filter>

Those other referenced filters are described in the same URL

I first ran a VM without 'clean-traffic' parameter, and was able to change the IP inside the guest and access the network from it. Then I enabled the 'clean-traffic' parameter and was only able to access the network when the IP is set to the value defined by its "IP" parameter

How it works is described here: http://libvirt.org/formatnwfilter.html#nwfwrite , I won't copy it here. It uses iptables and ip6tables and ebtables on the host, which should be a permanent rule Actually that's probably for custom filters

I can check whether the rules stay when iptables are restarted

[dimm0]

rocks sync host firewall is hanging on my frontend.
After rocks sync host network I still couldn't access network from the VM with a wrong IP
I suppose it's some internal KVM stuff which should survive NIC restarts

[dimm0]

Is there a reason to change network config or restart iptables while having VMs running on the host? Restarting NICs is a bad idea anyway when having passthrough enabled to the VMs...

[tcooper]

Perhaps... See sdsc/nucleus-service#12