Re: [libvirt] [RFC] Proposal for introduction of network traffic filtering capabilities for filtering of network traffic from and to VMs
On Mon, 2010-01-25 at 14:59 +0000, Daniel P. Berrange wrote:
The shear size of the ruleset inside the <interface> element
is
rather alarming to me. Imagine if you have a guest with more
than one NIC. I'm inclined to suggest that the <interface>
element in the domain XML description should only have a single
rule
<filter name='BLAH'/>
and if apps wish to construct a filter, from multiple independant
sub-filters, then that should be done against the filter object's
config, rather than the domain object's config.
Daniel,
we could achieve something similar with the following construct:
<xi:include href="demofilter.xml"
xmlns:xi="http://www.w3.org/2001/XInclude"/>
This would also have the advantage that the filter rules do not clutter
up the domain xml, but the migration of the rules might be simpler to
implement.
What is your thinking about this approach?
--
Best regards,
Gerhard Stenzel,
-----------------------------------------------------------------------------------------------------------------------------------
IBM Deutschland Research & Development GmbH
Vorsitzender des Aufsichtsrats: Martin Jetter
Geschäftsführung: Dirk Wittkopp
Sitz der Gesellschaft: Böblingen
Registergericht: Amtsgericht Stuttgart, HRB 243294