[libvirt] [RFC] Proposal for introduction of network traffic filtering capabilities for filtering of network traffic from and to VMs

[Matthias Bolte]

2010/2/18 Stefan Berger <stefanb at us.ibm.com>:
>
> libvir-list-bounces at redhat.com wrote on 01/26/2010 08:24:43 AM:
>
>
>
>>
>> Daniel,
>>
>> ok, trying to combine your suggestions:
>>
>> - guest contains a single filter reference per interface
>>
>> guest.xml:
>> ----------
>> <domain type='kvm'>
>>   <name>demo</name>
>>   <memory>256000</memory>
>>   <devices>
>>     <interface type="bridge">
>>       <filter name='demofilter' ipaddr='10.0.0.1'/>
>>     </interface>
>>   </devices>
>> </domain>
>>
>
> As the implementation of this progresses and we make design decision, we now
> introduced attributes and values for the
> filters to be passed in the format of
>
> att%d='<attribute>' val%d='<value>'
>
> thus we would rewrite the above example to:
>
> <domain type='kvm'>
>  <name>demo</name>
>  <memory>256000</memory>
>  <devices>
>    <interface type="bridge">
>      <filter name='demofilter' att0='IP' val0='10.0.0.1'/>
>    </interface>
>  </devices>
> </domain>
>
> This allows us to pass any necessary parameters to the filters for
> instantiation in
> the respective environment. So, if a filter is to be instantiated and holds
> the variable
> XYZ, then one may add
>
> att1='XYZ' val1='<some value>'

Passing parameters this way seems a bit unexpected for XML. How about
something like this:

<interface type="bridge">
  <filter name='demofilter'>
    <parameter name='IP' value='10.0.0.1'/>
  </filter>
</interface>

>
>> - complex filter include other filter and can contain rules
>>
>> complex demofilter.xml:
>> -----------------------
>> <filter name='demofilter'>
>>   <include href='drop-all'/>
>>   <include href='no-arp-spoofing' srcipaddr='$IP'/>
>
> -->   <include href='no-arp-spoofing' att0='IP' val0='1.2.3.4'.
>

And the same pattern for the includes:

<include href='no-arp-spoofing'>
  <parameter name='IP' value='1.2.3.4'/>
</include>

Matthias