On Mon, Feb 22, 2010 at 01:45:20PM +0100, Gerhard Stenzel wrote:
Hi, here is a preview of a chapter which is eventually intended for the libvirt application development guide. It is not final yet, but I feel now would be a good moment to gather some first feedback and to "finalise" the XML schema which is used in the examples.
Thanks, this is a good idea !
------------------------------------------------------------------------
1. Network Filter
1.1. Overview
1.2. XML Filter Description Format
1.2.1. Complex Filter
1.2.2. Simple Filters
1.3. Retrieving Information About Filter
1.3.1. TBD
Chapter 1. Network Filter ---------------------------
1.1. Overview
1.2. XML Filter Description Format
1.2.1. Complex Filter
1.2.2. Simple Filters
1.3. Retrieving Information About Filter
1.3.1. TBD
This section covers the management and definition of network filters using the libvirt API.
1.2.2. Simple Filters
The following examples of simple filters are predefined and address distint filter requirements. The predefined no-arp-spoofing filter drops all ARP packets
* originating from the guest if they contain other than the guests IP or MAC address
* destined for the guest if they contain other than the guests IP or MAC address
It accepts all request or reply ARP packets.
<filter name='no-arp-spoofing' chain='arp'>
Perhaps we should call that 'chain' attribute 'protocol' instead since that appears to be what you're representing there. I'm wondering how this should interact with the <filterref> element. eg, you might have chain='ipv4' on the main filter, and then a <filterref> pointing to a chain='arp'. One way would be to declare that a <filter> can contain either <rule> or <filterref>, but not a mixture of both.
<uuid>f88f1932-debf-4aa1-9fbe-f10d3aa4bc95</uuid>
<!-- no arp spoofing --> <!-- drop if ipaddr or macaddr does not belong to guest --> <rule action='drop' direction='out'> <arp match='no' srcmacaddr='$MAC'/> </rule> <rule action='drop' direction='out'> <arp match='no' srcipaddr='$IP' /> </rule> <!-- drop if ipaddr or macaddr odes not belong to guest --> <rule action='drop' direction='in'> <arp match='no' dstmacaddr='$MAC'/> </rule> <rule action='drop' direction='in'> <arp match='no' dstipaddr='$IP' /> </rule> <!-- accept only request or reply packets --> <rule action='accept' direction='inout'> <arp opcode='request'/> </rule> <rule action='accept' direction='inout'> <arp opcode='reply'/> </rule> <!-- drop everything else --> <rule action='drop' direction='inout'/> </filter>
Generally, your proposal looks good to me. Regards, Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|