[libvirt] [RFC] Proposal for introduction of network traffic filtering capabilities for filtering of network traffic from and to VMs
Gerhard Stenzel
gstenzel at linux.vnet.ibm.com
Thu Feb 4 12:07:59 UTC 2010
On Mon, 2010-01-25 at 14:59 +0000, Daniel P. Berrange wrote:
> The shear size of the ruleset inside the <interface> element is
> rather alarming to me. Imagine if you have a guest with more
> than one NIC. I'm inclined to suggest that the <interface>
> element in the domain XML description should only have a single
> rule
>
> <filter name='BLAH'/>
>
> and if apps wish to construct a filter, from multiple independant
> sub-filters, then that should be done against the filter object's
> config, rather than the domain object's config.
Daniel,
we could achieve something similar with the following construct:
<xi:include href="demofilter.xml"
xmlns:xi="http://www.w3.org/2001/XInclude"/>
This would also have the advantage that the filter rules do not clutter
up the domain xml, but the migration of the rules might be simpler to
implement.
What is your thinking about this approach?
--
Best regards,
Gerhard Stenzel,
-----------------------------------------------------------------------------------------------------------------------------------
IBM Deutschland Research & Development GmbH
Vorsitzender des Aufsichtsrats: Martin Jetter
Geschäftsführung: Dirk Wittkopp
Sitz der Gesellschaft: Böblingen
Registergericht: Amtsgericht Stuttgart, HRB 243294
More information about the libvir-list
mailing list