Hi Nachi:
I added some content into:
https://docs.google.com/document/d/1hqcivTHnB7yrcs834CpM6XF6sUEdF98d0WGFctgtyMA/edit#
they are sample nova instance iptables rules and ebtables rules.
I think to separate the rules into different chains is feasible.
Besides the concerns on review page,
Use forward chain to prevent something out of VM is a little bit too
late. We should be able to filter them earlier in prerouting chain.
Another interesting stuff is that nova (via libvirtd) is also using NAT
table to do it.
Best regards,
Yong Sheng Gong
--
Mailing list: https://launchpad.net/~quantum-core
Post to : [email protected]
Unsubscribe : https://launchpad.net/~quantum-core
More help : https://help.launchpad.net/ListHelp
