Cluster Filter Modules
Home/Documents/Development/High-Level Design/Cluster Filter Modules
by Benad
The Cluster Filter Modules are used to filter incoming and outgoing data in a cluster.
Table of Contents
The Cluster Filter Modules simply filters data coming in or out of a cluster. There could be various reasons why one would want to filter some packets, and this kind of module easily allows developers to do that.
The filtering can be based on the data contained in the packets, the service number, or based on the information given by the Bandwidth Manager.
Also, a Filter Module can decide to force disconnection of an ANet connection to the network if the same connection is not "following the rules" defined by the Filter Module(1). Thus, the Filter Modules have to very important role of defining the security requirements of a cluster; any connection that does not follow the security requirements of the Filter Module should eventually be disconnected.
As input, the Filter Modules will have a list of the AIPs[1] that can be filtered and a list of the connection IDs that want to send or receive that data.
As output, you have to produce two lists. The first list is a list of indexes of the AIPs you want to delete. For example, if the fifth AIP in the input list of AIPs has to be deleted, then you add "5" to the list of AIP indexed to be deleted(2). The second list is a list of connection IDs to be deleted.
One other function has to be implemented in the Filter Modules, while another one is optional, but can be very useful for the deamon.
The first function, the required one, gives as output its own definition of the security requirements. This definition consists of a "definition kind" and the definition itself. The definition will be used be the Handshaking Protocol Modules to tell to the other node what are the security requirements of the cluster.
The second function, the optional one, is used to do "forced" filtering. The function will be called by the deamon when it finds out that to much data is trying get out at the same time. Without this function, the deamon will delete random packets, which might not be very good if some packets can be considered as more important than others. The input and output for this function is similar to the "main" function of the Filter Modules, but it additionally has both the total size of the AIP list, and the size, in bytes, of what needs to be deleted.
- The Filter Modules do not have to be very complex. The easiest example is filtering by the service number. Actually, it is recommended that all Filter Modules implement this kind of filtering.
- Since Filter Modules can filter based on more than one logic, the security requirements is actually a list of the definition kind and the definition itself.
- Don't put too much information in the security requirements. For example, if you filter using keywords, giving a list of hundred of thousands of "banned" words would be a bad idea. The deamon will impose a tight limit on the total size of all security requirements of a Filter Module.
See the complete DTD for more information.
Notes
(1) The "origin or destination" part of the AIP, when inside a Filter Module, is a connection ID.
(2) Thus, you don't have to fill an list of the unfiltered AIPs. Anyways, that would be too awkward.
References
About the references...
[1] Benad: "Cluster Group Modules". Local link.
Last update for this document: August 24, 2001, at 1:24:32 PST
Home