In computer science, a virtual machine (VM) is a portion of software that, when executed on appropriate hardware, creates an environment allowing the virtualization of an actual physical computer system. Each VM may function as a self-contained platform, running its own operating system (OS) and software applications (processes). Typically, a virtual machine monitor (VMM) manages allocation and virtualization of computer resources and performs context switching, as may be necessary, to cycle between various VMs.
A host machine (e.g., computer or server) is typically enabled to simultaneously run multiple VMs, where each VM may be used by a local or remote client. The host machine allocates a certain amount of the host's resources to each of the VMs. Each VM is then able to use the allocated resources to execute applications, including operating systems known as guest operating systems. The VMM virtualizes the underlying hardware of the host machine or emulates hardware devices, making the use of the VM transparent to the guest operating system or the remote client that uses the VM.
A VM is generally capable of sending and/or receiving network traffic by utilizing a virtual network switch (i.e., a bridge device) on the host machine providing the VM. The VM can “plug in” to this virtual network switch and direct its network traffic through this device. This virtual network switch may show up as a network interface of the host machine having a corresponding virtual network driver.
A virtualization system administrator may seek to configure and enforce network filtering and forwarding programming rules on the VM and manage parameters of the network traffic that the VM is allowed to send and/or receive through the virtual network switch. Because the filtering/forwarding programming rules cannot be circumvented from within the VM, it makes them mandatory from the point of view of a VM user.
Currently, there are two modes of operation of a virtualization system in terms of network filtering programming. The first operating mode includes allowing the hypervisor (and thereby the VMs managed by that hypervisor) to perform any type of networking programming. In other words, any type of request from the VM can be transmitted and received. Although very flexible, this mode of operation has security and performance implications.
The second operating module includes a component separate from the VM setting up the networking parameters for the VM and not allowing the VM to request or make any networking configuration changes. In this way, the VM is disconnected from all networking decisions. The network configuration of the host is set up by the separate networking component, and then the VM's network is set up to match which the VM is started. If any configuration changes are made to the VM's network, then its networking will not work. This second operation mode provides better security and performance than the first operating mode, but is very strict and the ability to program the network from the VM (which can be an important and competitive key feature of VMs) is lost.
In terms of network forwarding programming, a host machine may be currently responsible for forwarding a packet when it arrives at the host machine to an application on the host machine or to one or more of the VMs hosted by the host machine. Currently, the host machine can “learn” which packets should be forwarded to which location by snooping on the outgoing packets from the VMs: the source address or the data portion of the outgoing packets give the address that the host machine should forward a return packet. These snooping results may be stored in a forwarding table on the host machine for each port (e.g., VM, host, external host, etc.). When a packet arrives, the host machine may look up the destination address in the table to determine where the packet should be forwarded (i.e., which VM, which host machine, all or none of the above). This form of packet forwarding using learning/snooping logic places high CPU load on the host machine.