Firewall System Design And Implementation Based On OVirt Cloud Platform

oVirt is an influential open source desktop cloud system, which absorbed the contributions of many researchers from the open source forum and will guide the development of the desktop cloud. At present, many function modules have been added to the oVirt system, such as virtual machine life cycle management, storage management, cyber source management etc. However, network security investment is not enough in oVirt, lacking of network firewall system, which makes virtual machines can be uncontrolled access to the network, thus threatening the network security of the cloud environment. This article is for this situation, to design and implement a network firewall system based on the oVirt platform, combined with the characteristics of oVirt. The firewall policy rules are configured in oVirt, and then the rules will be issued to the physical server where the virtual machine on, and finally network packets will be filtered according to the rules by the kernel firewall, the main contents are as follows:1. To research the network virtualization technology, for virtual machines to share network resources through the kernel bridge, we proposed a virtual machine network threat model in cloud environment. By analyzing the network security threat, we determined the packet filtering firewall design, which is based on the kernel bridge.2. By studing oVirt desktop cloud technology, for the cloud environment with a distributed network layout, which makes it possible to migrate virtual machines between physical servers, we have designed a distributed cloud firewall system, which is based on the rules of migration.3. Research on packet filtering technology of the kernel firewall, for the larger number of firewall rules in the cloud environment, the filtering algorithm of kernel firewall is more inefficient, which matches one by one according to the rules of table. In this paper, an improved algorithm is proposed to optimize packet filtering, which uses a hash table to quickly locate required matching rules, so that the data packets only need a small amount of matching rules, thereby increasing the firewall processing efficiency.Finally completed the system development, and tested. Test results show that, the system can effectively filter network packets for virtual machines, by configuring of firewall rules; firewall rules can take effect immediately when the virtual machines migrate; compared with the original packet filtering algorithm, the efficiency of the improved algorithm has been significantly improved.