libvir-list-bounces@redhat.com wrote on 01/26/2010
08:24:43 AM:
>
> Daniel,
>
> ok, trying to combine your suggestions:
>
> - guest contains a single filter reference per interface
>
> guest.xml:
> ----------
> <domain type='kvm'>
> <name>demo</name>
> <memory>256000</memory>
> <devices>
> <interface type="bridge">
> <filter name='demofilter' ipaddr='10.0.0.1'/>
> </interface>
> </devices>
> </domain>
>
As the implementation of this progresses and we make
design decision, we now introduced attributes and values for the
filters to be passed in the format of
att%d='<attribute>' val%d='<value>'
thus we would rewrite the above example to:
<domain type='kvm'>
<name>demo</name>
<memory>256000</memory>
<devices>
<interface type="bridge">
<filter name='demofilter' att0='IP' val0='10.0.0.1'/>
</interface>
</devices>
</domain>
This allows us to pass any necessary parameters to
the filters for instantiation in
the respective environment. So, if a filter is to
be instantiated and holds the variable
XYZ, then one may add
att1='XYZ' val1='<some value>'
> - complex filter include other filter and can
contain rules
>
> complex demofilter.xml:
> -----------------------
> <filter name='demofilter'>
> <include href='drop-all'/>
> <include href='no-arp-spoofing' srcipaddr='$IP'/>
--> <include href='no-arp-spoofing' att0='IP'
val0='1.2.3.4'.
> <include href='no-mac-spoofing'/>
> <include href='no-ip-spoofing' srcipaddr='$IP'/>
> <!-- no ip spoofing -->
> <rule action='drop' direction='out'>
> <ip match='no' srcipaddr='$IP'/>
> </rule>
> </filter>
>
So any referenced filter, also as shown above in the
demofilter.xml, could hold environment-specific values for required variables.
A filter requiring a variable that is not passed is
not instantiated and will prevent interface creation / attachment or the
start
of the VM.
Further, if an attribute value pair (IP) as shown
here is passed from the domain XML and another value as shown here in the
referenced filter
is again set, the one from further 'up' is used, i.e.,
IP=10.0.0.1 rather than IP=1.2.3.4.
Does this sound ok?
Regards,
Stefan