Re: [libvirt] [RFC] Proposal for introduction of network traffic filtering capabilities for filtering of network traffic from and to VMs

libvir-list-bounces(a)redhat.com wrote on 01/26/2010 08:24:43 AM: > > Daniel, > > ok, trying to combine your suggestions: > > - guest contains a single filter reference per interface > > guest.xml: > ---------- > <domain type='kvm'> >   <name>demo</name> >   <memory>256000</memory> >   <devices> >     <interface type="bridge"> >       <filter name='demofilter' ipaddr='10.0.0.1'/> >     </interface> >   </devices> > </domain> > As the implementation of this progresses and we make design decision, we now introduced attributes and values for the filters to be passed in the format of att%d='<attribute>' val%d='<value>' thus we would rewrite the above example to: <domain type='kvm'>  <name>demo</name>  <memory>256000</memory>  <devices>    <interface type="bridge">      <filter name='demofilter' att0='IP' val0='10.0.0.1'/>    </interface>  </devices> </domain> This allows us to pass any necessary parameters to the filters for instantiation in the respective environment. So, if a filter is to be instantiated and holds the variable XYZ, then one may add att1='XYZ' val1='<some value>'

> - complex filter include other filter and can contain rules > > complex demofilter.xml: > ----------------------- > <filter name='demofilter'> >   <include href='drop-all'/> >   <include href='no-arp-spoofing' srcipaddr='$IP'/> -->   <include href='no-arp-spoofing' att0='IP' val0='1.2.3.4'.