[libvirt] the case for volatile nwfilters

I'd like oVirt to make a more extensive usage of libvirt's nwfilters in order to implement security groups, i.e. which protocol/port/host should be open on an interface. Since oVirt is cetrally-managed by ovirt-engine, filter definitions should be edited there and kept in its database. However, libivrt's domain xml requires to have a locally-defined filter as well: <devices> <interface type='bridge'> <filterref filter='filter-name'/> </interface> </devices> We can leave with it by defining an ad-hoc filter before staring a VM, deleting it after the VM stops, and collecting garbage (due to system crashes) occasionally. It would be nicer if we could instead have just-in-time filter definition such as <devices> <interface type='bridge'> <filter name='nameless'> <rule/> <rule/> <rule/> </filter> </interface> </devices> avoiding nwfilter persistence. Would something like this be beneficial to other libvirt users? Would it be easy to implement within libvirt? Regards, Dan.