Re: [libvirt] [RFC] Proposal for introduction of network traffic filtering capabilities for filtering of network traffic from and to VMs
Matthias Bolte <matthias.bolte(a)googlemail.com> wrote on 02/18/2010
09:15:47 AM:
"Daniel P. Berrange", veillard, libvir-list, Vivek Kashyap
2010/2/18 Stefan Berger <stefanb(a)us.ibm.com>:
>
> <domain type='kvm'>
> <name>demo</name>
> <memory>256000</memory>
> <devices>
> <interface type="bridge">
> <filter name='demofilter' att0='IP'
val0='10.0.0.1'/>
> </interface>
> </devices>
> </domain>
>
> This allows us to pass any necessary parameters to the filters for
> instantiation in
> the respective environment. So, if a filter is to be instantiated and
holds
> the variable
> XYZ, then one may add
>
> att1='XYZ' val1='<some value>'
Passing parameters this way seems a bit unexpected for XML. How about
something like this:
<interface type="bridge">
<filter name='demofilter'>
<parameter name='IP' value='10.0.0.1'/>
</filter>
</interface>
I think we'll change this to ...
<interface type="bridge">
<filterref ref='demofilter'>
<parameter name='IP' value='10.0.0.1'/>
</filter>
</interface>
>
>> - complex filter include other filter and can contain rules
>>
>> complex demofilter.xml:
>> -----------------------
>> <filter name='demofilter'>
>> <include href='drop-all'/>
>> <include href='no-arp-spoofing' srcipaddr='$IP'/>
>
> --> <include href='no-arp-spoofing' att0='IP'
val0='1.2.3.4'.
>
And the same pattern for the includes:
... and this to ...
<include href='no-arp-spoofing'>
<parameter name='IP' value='1.2.3.4'/>
</include>
<filterref ref='no-arp-spoofing'>
<parameter name='IP' value='1.2.3.4'/>
</include>
... to be consistent.
Thanks for feedback.
Stefan
Matthias
Attachments:
- attachment.html (text/html — 3.0 KB)