On Fri, Jan 22, 2010 at 01:29:16PM +0100, Gerhard Stenzel wrote:
> On Wed, 2010-01-13 at 17:36 +0000, Daniel P. Berrange wrote:
> > In addition the DMTF XML format illustrated above is seriously ugly
> > and not following the style of other libvirt XML formats. The use
> > of UPPERCASE alone is reason enough to create a native libvirt format
> > for this.  We should of course ensure that whatever we do can be
> > reliably mapped into the DMTF format via a simple XSL transform.
> > 
> > Daniel
> Hi, we have been thinking about the comments regarding the XML format
> and hope the following is more in line with other libvirt XML formats:
> As Stefan proposed originally, the guest interface has an additional
> firewall. The firewall can have several filters, some of which are
> generic and template based and some are guest specific. The template
> filters can take parameters.
> The filters contain rules, currently for mac, arp, vlan and ip. A rule
> is applied if the conditions specified by the attributes and their
> values are true and the specified action will happen. The match
> attribute can be used to specify that the action should happen if the
> condition is not true.
> If an attribute is supplied on a rule but its value is empty (''), the
> supplied parameter for a template or the respective value for the
> current interface is used.
> This will need a few more examples to verify it is sufficient, but here
> is the current status:
> The guest xml file:
> -------------------
> <domain type='kvm'>
>   <name>demo</name>
>   <memory>256000</memory>
>   <devices>
>     <interface type="bridge">
>       <firewall>
>       <filter template='drop-all'/>
>       <filter template='no-arp-spoofing' srcipaddr=''/>
>       <filter template='no-mac-spoofing'/>
>       <filter template='no-ip-spoofing srcipaddr=''/>
>       <filter>
>         <!-- allow outgoing IPV4 packets with the 
>              guest mac addr and vlanid 3 -->
>         <rule action='allow' direction='out'>
>           <mac srcmacaddr='' />
>           <vlan id='3'/>
>           <ip version='4'/>
>         </rule>
>         <!-- only accept non-IPV6 packets from
>         'aa:bb:cc:dd:ee:ff' -->
>         <rule action='allow' direction='in'>
>           <mac srcmacaddr='aa:bb:cc:dd:ee:ff' />
>           <vlan id='3'/>
>           <ip  match='no' version='6'/>
>         </rule>
>         <!-- no access to port 25 allowed -->
>         <rule action='allow' direction='in'>
>           <ip match='no'
>               dstportstart = '25'
>               dstportend   = '25' />
>         </rule>
>       </filter>
>       </firewall>
>     </interface>
>   </devices>
> </domain>

The shear size of the ruleset inside the <interface> element is
rather alarming to me. Imagine if you have a guest with more
than one NIC.  I'm inclined to suggest that the <interface> 
element in the domain XML description should only have a single

   <filter name='BLAH'/>

and if apps wish to construct a filter, from multiple independant
sub-filters, then that should be done against the filter object's
config, rather than the domain object's config. 

> The template xml files could be similar to this:
> ------------------------------------------------
> <firewall>
>   <!-- by default drop everything -->
>   <template name='drop-all'>
>     <filter policy='drop' />
>   </template>
>   <template name='no-arp-spoofing'>
>     <filter name='ARP' policy='drop'>
>       <!-- no arp spoofing -->
>       <!-- drop if ipaddr or macaddr does not belong to guest -->
>       <rule action='drop' direction='out'>
>       <arp match='no' srcmacaddr=''/>
>       <arp match='no' srcipaddr='' />
>       </rule>
>       <!-- drop if ipaddr or macaddr does not belong to guest -->
>       <rule action='drop' direction='in'>
>       <arp match='no' dstmacaddr=' '/>
>       <arp match='no' dstipaddr='' />

What was the idea with the empty attributes here ?  Are those 
implying that the attribute value is to be filled in with the
value from the domain XML ? If so I'd probably make that more
explicit using something like  $IP and $MAC to represent the
guest configured IP/MAC

>       </rule>
>       <!-- allow all other request or reply packets -->
>       <rule action='allow' direction='inout'>
>       <arp opcode='request'/>
>       <arp opcode='reply'/>
>       </rule>
>     </filter>
>   </template>
>   <template name='no-mac-spoofing'>
>     <filter name='DLFT'>
>       <!-- no mac spoofing -->
>       <rule action='drop' direction='out'>
>       <mac match='no' srcmacaddr=''/>
>       </rule>
>     </filter>
>   </template>
>   <template name='no-ip-spoofing'>
>     <filter name='IPv4'>
>       <!-- no ip spoofing -->
>       <rule action='drop' direction='out'>
>       <ip match='no' srcipaddr=''/>
>       </rule>
>     </filter>
>   </template>

I don't think that '<firewall>' is the top level object to be managed
here. I would suggest that '<firewall>' and  '<template>' elements are
redundant, and that <filter> should be for the top level managed objects.
The libvirt API would allow listing of existing filters, creating / deleting
filters and updating the config. The <filter> element would allow some kind
of <include> element to allow a complex filter to be built out of multiple 
simpler filters.

|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

libvir-list mailing list

Reply via email to