The Cluster Filter Modules are used to filter incoming and outgoing data in a cluster.
The Cluster Filter Modules simply filters data coming in or out of a cluster. There could be various reasons why one would want to filter some packets, and this kind of module easily allows developers to do that.
The filtering can be based on the data contained in the packets, the service number, or based on the information given by the Bandwidth Manager.
Also, a Filter Module can decide to force disconnection of an ANet connection to the network if the same connection is not "following the rules" defined by the Filter Module(1). Thus, the Filter Modules have to very important role of defining the security requirements of a cluster; any connection that does not follow the security requirements of the Filter Module should eventually be disconnected.
As input, the Filter Modules will have a list of the AIPs[1] that can be filtered and a list of the connection IDs that want to send or receive that data.
As output, you have to produce two lists. The first list is a list of indexes of the AIPs you want to delete. For example, if the fifth AIP in the input list of AIPs has to be deleted, then you add "5" to the list of AIP indexed to be deleted(2). The second list is a list of connection IDs to be deleted.
One other function has to be implemented in the Filter Modules, while another one is optional, but can be very useful for the deamon.
The first function, the required one, gives as output its own definition of the security requirements. This definition consists of a "definition kind" and the definition itself. The definition will be used be the Handshaking Protocol Modules to tell to the other node what are the security requirements of the cluster.
The second function, the optional one, is used to do "forced" filtering. The function will be called by the deamon when it finds out that to much data is trying get out at the same time. Without this function, the deamon will delete random packets, which might not be very good if some packets can be considered as more important than others. The input and output for this function is similar to the "main" function of the Filter Modules, but it additionally has both the total size of the AIP list, and the size, in bytes, of what needs to be deleted.
See the complete DTD for more information.
<!-- Cluster Filter Module --> <!ELEMENT ClusterFilter EMPTY> <!ATTLIST ClusterFilter %moduleName; %args; %security;> |
(1) The "origin or destination" part of the AIP, when inside a Filter Module, is a connection ID.
(2) Thus, you don't have to fill an list of the unfiltered AIPs. Anyways, that would be too awkward.
Last update for this document: August 24, 2001, at 1:24:32 PST