On Mon, Feb 22, 2010 at 01:45:20PM +0100, Gerhard Stenzel wrote: > > Hi, here is a preview of a chapter which is eventually intended for the > libvirt application development guide. It is not final yet, but I feel > now would be a good moment to gather some first feedback and to > "finalise" the XML schema which is used in the examples. Thanks, this is a good idea ! > > ------------------------------------------------------------------------ > > 1. Network Filter > > 1.1. Overview > > 1.2. XML Filter Description Format > > 1.2.1. Complex Filter > > 1.2.2. Simple Filters > > 1.3. Retrieving Information About Filter > > 1.3.1. TBD > > > Chapter 1. Network Filter > --------------------------- > > 1.1. Overview > > 1.2. XML Filter Description Format > > 1.2.1. Complex Filter > > 1.2.2. Simple Filters > > 1.3. Retrieving Information About Filter > > 1.3.1. TBD > > This section covers the management and definition of network filters > using the libvirt API. > > > > > 1.2.2. Simple Filters > > The following examples of simple filters are predefined and address > distint filter requirements. The predefined no-arp-spoofing filter drops > all ARP packets > > * originating from the guest if they contain other than the guests IP > or MAC address > > * destined for the guest if they contain other than the guests IP or > MAC address > > It accepts all request or reply ARP packets. > > <filter name='no-arp-spoofing' chain='arp'> Perhaps we should call that 'chain' attribute 'protocol' instead since that appears to be what you're representing there. I'm wondering how this should interact with the <filterref> element. eg, you might have chain='ipv4' on the main filter, and then a <filterref> pointing to a chain='arp'. One way would be to declare that a <filter> can contain either <rule> or <filterref>, but not a mixture of both. > <uuid>f88f1932-debf-4aa1-9fbe-f10d3aa4bc95</uuid> > > <!-- no arp spoofing --> > <!-- drop if ipaddr or macaddr does not belong to guest --> > <rule action='drop' direction='out'> > <arp match='no' srcmacaddr='$MAC'/> > </rule> > <rule action='drop' direction='out'> > <arp match='no' srcipaddr='$IP' /> > </rule> > <!-- drop if ipaddr or macaddr odes not belong to guest --> > <rule action='drop' direction='in'> > <arp match='no' dstmacaddr='$MAC'/> > </rule> > <rule action='drop' direction='in'> > <arp match='no' dstipaddr='$IP' /> > </rule> > <!-- accept only request or reply packets --> > <rule action='accept' direction='inout'> > <arp opcode='request'/> > </rule> > <rule action='accept' direction='inout'> > <arp opcode='reply'/> > </rule> > <!-- drop everything else --> > <rule action='drop' direction='inout'/> > </filter> Generally, your proposal looks good to me. Regards, Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list