1. Technical Field
Embodiments of the present disclosure relate to virtualization technology, and more particularly to a method for controlling settings of firewalls of virtual machines.
2. Description of Related Art
Virtual machines (VM) are software implementations that create one or more VMs in a host. In a process of establishing a virtualization environment, a large number of hosts may be involved and a large number of VMs may be created. To protect security of the VMs, multiple firewalls are set between the VMs and an external network (e.g., the Internet). Presently, settings of the multiple firewalls are done manually by a network manager. The network manager uses a management server to connect to each firewall and perform the setting operations for the firewalls one by one, which is repetitive and time-consuming. Therefore, this is room for improvement in the art.
The present disclosure, including the accompanying drawings, is illustrated by way of examples and not by way of limitation. It should be noted that references to “an” or “one” embodiment in this disclosure are not necessarily to the same embodiment, and such references mean “at least one.”
In general, the word “module”, as used herein, refers to logic embodied in hardware or firmware, or to a collection of software instructions, written in a programming language. One or more software instructions in the modules may be embedded in firmware, such as in an erasable programmable read only memory (EPROM). The modules described herein may be implemented as either software and/or hardware modules and may be stored in any type of non-transitory computer-readable medium or other storage device. Some non-limiting examples of non-transitory computer-readable media include CDs, DVDs, BLU-RAY, flash memory, and hard disk drives.
In one embodiment, the management server 1 may be a machine independent from any host, or may be a VM installed in any host. The aforementioned modules, such as the control module 10, and the firewall agent modules 70 and 80, include computerized code in the form of one or more programs, which may be stored in the same storage device or different storage devices. For one example, the one or more programs of the control module 10 and the firewall agent modules 70 and 80 may be stored in a network storage device (not shown in
The control module 10 sends a firewall setting command to each firewall agent module (e.g., the firewall agent modules 70 and 80) of each firewall (e.g., the firewalls 7 and 8). The firewall agent module (e.g., the firewall agent module 70) receives the firewall setting command, sets parameters of the firewall (e.g., the firewall 7) according to the firewall setting command, and feeds back a reply to the control module 10. The firewall setting command may include adding, amending, or deleting firewall rules (e.g., packet filtering rules) of the firewall.
The control module 10 may further send a VM control command to each host agent module (e.g., the host agent modules 5, 6) of each host (e.g., the hosts 3, 4). The host agent module (e.g., the host agent module 5) receives the VM control command, and performs one or more operations on the one or more VMs in the host (e.g., the host 3). The operations may include adding a new VM, or deleting or shutting down a designated VM, for example.
In step S10, the control module 10 sends a firewall setting command to the firewall agent module of each firewall. As mentioned above, the firewall setting command may include adding, amending, or deleting firewall rules (e.g., packet filtering rules) of the firewall. In one embodiment, the control module 10 may send the firewall setting command to each of the firewall agents one by one, or simultaneously send the firewall setting command to all the firewall agents. Different firewalls may have same firewall setting command or different firewall setting commands. For example, the control module 10 may send a first firewall setting command to the firewall agent modules 70 and 80, or send the first firewall setting command to the firewall agent module 70 and send a second firewall setting command to the firewall agent module 80.
In step S20, the firewall agent module receives the firewall setting command, sets parameters of the firewall according to the firewall setting command, and feeds back a reply to the control module 10. For example, if the first firewall setting command received by the firewall agent module 70 refers to adding a packet filtering rule, the firewall agent module 70 adds the packet filtering rule into the settings of the firewall 7, and sends present settings of the firewall 7 to the control module 10.
In step S30, the control module 10 sends a VM control command to a host agent module of a host, such as the host agent module 5 of the host 3. The VM control command may include an ID of a VM, and one or more operations to be performed on the VM.
In step S40, the host agent module receives the VM control command, and performs the one or more operations on a designated VM according to the VM control command. For example, the host agent module 5 searches for the VM among all the VMs in the host 3 according to the ID of the VM contained in the VM control command, and performs the one or more operations on the searched VM.
Although certain disclosed embodiments of the present disclosure have been specifically described, the present disclosure is not to be construed as being limited thereto. Various changes or modifications may be made to the present disclosure without departing from the scope and spirit of the present disclosure.
Number | Date | Country | Kind |
---|---|---|---|
2013101432120 | Apr 2013 | CN | national |