[libvirt] [RFC] Proposal for introduction of network traffic filtering capabilities for filtering of network traffic from and to VMs

Stefan Berger stefanb at us.ibm.com
Thu Feb 18 13:53:22 UTC 2010 

libvir-list-bounces at redhat.com wrote on 01/26/2010 08:24:43 AM:



> 
> Daniel,
> 
> ok, trying to combine your suggestions:
> 
> - guest contains a single filter reference per interface
> 
> guest.xml:
> ----------
> <domain type='kvm'>
>   <name>demo</name>
>   <memory>256000</memory>
>   <devices>
>     <interface type="bridge">
>       <filter name='demofilter' ipaddr='10.0.0.1'/>
>     </interface>
>   </devices>
> </domain>
> 

As the implementation of this progresses and we make design decision, we 
now introduced attributes and values for the 
filters to be passed in the format of

att%d='<attribute>' val%d='<value>'

thus we would rewrite the above example to:

<domain type='kvm'>
  <name>demo</name>
  <memory>256000</memory>
  <devices>
    <interface type="bridge">
      <filter name='demofilter' att0='IP' val0='10.0.0.1'/>
    </interface>
  </devices>
</domain>

This allows us to pass any necessary parameters to the filters for 
instantiation in
the respective environment. So, if a filter is to be instantiated and 
holds the variable
XYZ, then one may add

att1='XYZ' val1='<some value>'


> - complex filter include other filter and can contain rules
> 
> complex demofilter.xml:
> -----------------------
> <filter name='demofilter'>
>   <include href='drop-all'/>
>   <include href='no-arp-spoofing' srcipaddr='$IP'/>

-->   <include href='no-arp-spoofing' att0='IP' val0='1.2.3.4'.

>   <include href='no-mac-spoofing'/>
>   <include href='no-ip-spoofing' srcipaddr='$IP'/>
>   <!-- no ip spoofing -->
>   <rule action='drop' direction='out'>
>     <ip match='no' srcipaddr='$IP'/>
>   </rule>
> </filter>
> 

So any referenced filter, also as shown above in the demofilter.xml, could 
hold environment-specific values for required variables. 
A filter requiring a variable that is not passed is not instantiated and 
will prevent interface creation / attachment or the start
of the VM.
Further, if an attribute value pair (IP) as shown here is passed from the 
domain XML and another value as shown here in the referenced filter
is again set, the one from further 'up' is used, i.e., IP=10.0.0.1 rather 
than IP=1.2.3.4.

Does this sound ok?

Regards,
   Stefan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20100218/b21c53ef/attachment-0001.htm>

More information about the libvir-list mailing list