Task #6681
Updated by Nico Schottelius over 5 years ago
h2. General idea
Instead of relying on opennebula (limited firewalling support) and iptables (we prefer nftables), we should have a more dynamic firewall.
This should also enable us to delegate /64 networks faster to our customers.
The general concept is that there is a virtual machine manager, that decides/writes rules for all hypervisor hosts to a distributed store.
The hypervisor hosts then apply changes on themselves and have rules for all possible VMs, so migrations don't affect rules.
h2. General rules
* Install nft ruleset that blocks forwarding of everything by default
** Ensure that bridging is also affected!
h2. VM rules
* Install rule for mac address per interface
* Install rule for the primary IPv4/IPv6 address
h2. Network rules / routing
If the customer requested a /64 for her VM
* Install rule for the IPv6 network
* Install route for the IPv6 network