Virtual filtering platform in distributed computing systems

I claim: 1. A method for facilitation communication in a distributed computing system having hosts individually supporting a virtual switch and one or more virtual machines, comprising: receiving, at the virtual switch, a packet having a header with multiple header fields and a payload; processing, at the virtual switch, the received packet based on multiple layer, group, and rule objects arranged in a hierarchy in which the multiple layer objects are arranged in a sequence at the same level in the hierarchy and individually contain one or more group objects that are arranged in a sequence at the same level in the hierarchy and that individually contain one or more rule objects, each of the rule objects containing one or more conditions and a corresponding action performable by the virtual switch on the packet, wherein processing the received packet includes, for each of the layer objects, performing, in the arranged sequence, the following operations: determining whether a value in one or more of the header fields of the packet matches the one or more conditions of one of the rule objects in the group objects of the one of the layer objects; in response to determining that the value in one or more of the header fields of the packet matches the one or more conditions of one of the rule objects in the group objects of the one of the layer objects, applying the action of the rule object to the packet; and passing the packet with the applied action to a next one of the layer objects and repeating the determining and applying operations according to rule objects in the next one of the layer objects. 2. The method of claim 1 wherein processing the received packet includes processing the received packet according to the hierarchy also containing a port object as a higher level object than the multiple layer objects, the port object being associated with a virtual port of the virtual switch connected to one of the virtual machines, and wherein the method further includes: determining whether the packet is destined to the one of the virtual machines connected to the virtual port; and in response to determining that the packet is destined to the one of the virtual machines connected to the virtual port, processing the received packet in accordance with the multiple layer, group, and rule objects in the port object. 3. The method of claim 1 wherein: the layer objects are independently programmed to implement different processing policies on the received packet, the different processing policies individually include virtual network processing, network name translation processing, access control list processing, or metering processing. 4. The method of claim 1 wherein: the layer objects are independently programmed to implement different processing policies on the received packet; and the method further comprising processing the packet passed from the one of the layer object in accordance with another one of the layer object based on a state of the packet after the action is applied to the received packet. 5. The method of claim 1 wherein: the layer objects are independently programmed to implement different processing policies on the received packet in a sequence; the received packet is an incoming packet; processing the received packet includes processing the received packet according to the layer objects in the sequence; and the method further includes: receiving, at the virtual switch, an outgoing packet; and processing the received outgoing packet according to the layer objects in a reverse order of the sequence. 6. The method of claim 1 wherein applying the action of the rule object to the packet includes one of: encapsulating or decapsulating the received packet with an additional header; converting a virtual IP address of the received packet to a direct IP address; blocking or allowing the received packet for forwarding to the virtual machine based on an access control list; or adjusting a counter reflecting a number of packets received or transmitted to or from the virtual machine. 7. The method of claim 1 wherein the one of the layer object includes a first group object and a second group object, and wherein processing the received packet includes: determining whether the value in one or more of the header fields of the packet matches the one or more conditions of one of the rule objects in the first group object; in response to determining that the value in one or more of the header fields of the packet matches the one or more conditions of one of the rule objects in the first group object, determining whether the first group object is marked as terminating; and in response to determining that the first group object is marked as terminating, applying the action of the rule object to the packet without processing the received packet according to the rule objects in the second group object. 8. The method of claim 1 wherein the one of the layer object includes a first group object and a second group object, and wherein processing the received packet includes: determining whether the value in one or more of the header fields of the packet matches the one or more conditions of one of the rule objects in the first group object; in response to determining that the value in one or more of the header fields of the packet matches the one or more conditions of one of the rule objects in the first group object, determining whether the first group object is marked as terminating; and in response to determining that the first group object is not marked as terminating, processing the received packet according to the rule objects in the second group object without applying the action of the rule object in the first group object. 9. The method of claim 1 , further comprising subsequent to processing the received packet according to all of the layer objects, forwarding the processed packet with accumulatively applied actions to one of the virtual machines. 10. A computing device in a distributed computing system having hosts individually supporting a virtual switch and one or more virtual machines, comprising: a processor; and a memory containing instructions executable by the processor to provide a virtual switch and cause the computing device to: receive a packet having a header and a payload; and in response to receiving the packet, at the virtual switch, processing the received packet based on multiple match action tables arranged in a hierarchy in which multiple layers are arranged in a sequence at the same level in the hierarchy and individually contain one or more groups that individually contain one or more rules, each of the rules containing an entry in one of the match action tables with a condition and an action, wherein to process the received packet includes, for each of the multiple layers, performing, in the arranged sequence, the following operations: select one of the rules in each of the layers as matching the received packet; and accumulatively apply the actions of the selected rules from the multiple layers to the received packet. 11. The computing device of claim 10 wherein to select one of the rules in each of the layers as matching the received packet includes to select only one rule in each of the layers as matching the received packet. 12. The computing device of claim 10 wherein: the rules in each of the layers have corresponding priority values; and to select one of the rules in each of the layers as matching the received packet includes to select only one rule with highest priority value as matching the received packet. 13. The computing device of claim 10 wherein to select one of th