Description of problem: At present, the users/admin must log into the container then manually setup iptables rules, it's not convenient for users/admin, especially, if users/admin need to operate 1000+ containers, libvirt-sandbox should allow users/admin to create container with specified iptables rules or allow users/admin to configure iptables rules in the /etc/libvirt-sandbox/services/$name.sandbox configuration file. Version-Release number of selected component (if applicable): # rpm -q libvirt-sandbox libvirt selinux-policy systemd kernel libvirt-sandbox-0.2.0-1.el7.x86_64 libvirt-1.1.0-1.el7.x86_64 selinux-policy-3.12.1-56.el7.noarch systemd-204-9.el7.1.x86_64 kernel-3.10.0-0.rc7.64.el7.x86_64 How reproducible: always Steps to Reproduce: 1. virt-sandbox-service without any iptables option or don't know how to add iptables rules in the /etc/libvirt-sandbox/services/$name.sandbox. Actual results: Expected results: Support to setup iptables rules outside of the container. Additional info: For example, libvirt-sandbox may default allowing access for all of service or relevant port, and then users/admin can modify it according to their requirements.
With the latest virt-sandbox-service creating a persistent libvirt XML, it is now possible to modify it to include network filtering. This is not something we will officially recommend though, since it is not upgrade safe - eg if you re-create the XML later all custom modifications are lost. A proper solution involves new APIs in libvirt-sandbox.
So am I correct to think that this basically involves adding filterref elements to the libvirt network config XML and propagating that through libvirt-sandbox etc? Do we want additional configuration elements such as IP or CTRL_IP_LEARNING? In general I'm just looking for some good defaults and parameters we should add.
To be more clear I was thinking this would involve adding eg virt-sandbox -N dhcp,source=default,filterref=clean-traffic and then adding the APIs to make it all happen from there. Correct?