-
Committer:
Tarmac
-
Author(s):
Soren Hansen, Vishvananda Ishaya, Devin Carlen
-
Date:
2010-10-12 20:28:43 UTC
-
mfrom:
(265.2.56 api)
-
Revision ID:
hudson@openstack.org-20101012202843-qkv3kmc9uv400cif
This patch adds support for EC2 security groups using libvirt's nwfilter mechanism, which in turn uses iptables and ebtables on the individual compute nodes.
This has a number of benefits:
* Inter-VM network traffic can take the fastest route through the network without our having to worry about getting it through a central firewall.
* Not relying on a central firewall also removes a potential SPOF.
* The filtering load is distributed, offering great scalability.
Caveats:
* It only works with libvirt and only with libvirt drivers that support nwfilter (qemu (and thus kvm) and uml, at the moment)