Cooperated approach to network packet filtering

The invention claimed is: 1. A network interface apparatus in a computer system, comprising: a first virtual function of a plurality of virtual functions, the first virtual function owned by a first virtual machine present in the computer system; a first simple filtering agent, associated with the first virtual function, to enforce one or more inbound simple filter rules at a first filtering level for a first network packet of a plurality of network packets received from a network, wherein at least one of the one or more inbound simple filter rules blocks the first network packet from reaching the first virtual machine in response to the first network packet failing at least one of the one or more inbound simple filter rules; a second virtual function of the plurality of virtual functions, the second virtual function owned by a virtual machine monitor present in the computer system; and a side bounce filtering agent to forward the first network packet to the second virtual function in response to first network packet being blocked by the at least one of the one or more inbound simple filter rules. 2. The network interface apparatus of claim 1 , further comprising: the second virtual function allowing the first network packet blocked by the first simple filtering agent to enter a virtual Ethernet bridge in the virtual machine monitor, the virtual Ethernet bridge to enforce one or more complex filtering rules at a second filtering level for the first network packet, wherein at least one of the one or more complex filtering rules is capable of verifying the first network packet; and reroute the first network packet through the second virtual function to the first virtual function, in response to the first network packet being verified. 3. The network interface apparatus of claim 1 , further comprising: an arbitrator to route the first network packet from the network to one of the plurality of virtual functions, and to route one or more packets received from at least one of the plurality of virtual functions to the network. 4. The network interface apparatus of claim 1 , further comprising: a third virtual function of the plurality of virtual functions, the third virtual function owned by a second virtual machine present in the computer system. 5. The network interface apparatus of claim 1 , wherein each virtual function of the plurality of virtual functions comprises a queue pair to handle incoming and outgoing network packets of the plurality of network packets. 6. The network interface of claim 1 , further comprising: the first simple filtering agent further operable to enforce one or more outbound simple filter rules at the first filtering level for a second network packet of a plurality of network packets sent to the network, wherein at least one of the one or more outbound simple filter rules blocks the sent network packet from reaching the network in response to the sent network packet failing at least one of the one or more outbound simple filter rules; and the side bounce filtering agent to forward the sent network packet to the second virtual function in response to the sent network packet being blocked by the at least one of the one or more outbound simple filter rules. 7. The network interface apparatus of claim 6 , further comprising: the second virtual function to allow the second network packet blocked by the first simple filtering agent to enter a virtual Ethernet bridge in the virtual machine monitor, the virtual Ethernet bridge to enforce one or more complex filtering rules at a second filtering level for the second network packet, wherein at least one of the one or more complex filtering rules is capable of verifying the second network packet; and reroute the second network packet through the second virtual function to the network, in response to the second network packet being verified. 8. A computer system, comprising: a processor; a system memory; a virtual machine monitor to assign time slices of compute time of the processor, a portion of system memory, and a set of I/O resources to each of a plurality of virtual machines; a first virtual machine of the plurality of virtual machines; and a network interface controller, the network interface controller including: a first virtual function of a plurality of virtual functions, the first virtual function owned by the first virtual machine; a first simple filtering agent, associated with the first virtual function, to enforce one or more inbound simple filter rules at a first filtering level for a first network packet of a plurality of network packets received from a network, wherein at least one of the one or more inbound simple filter rules blocks the first network packet from reaching the first virtual machine in response to the first network packet failing at least one of the one or more inbound simple filter rules; a second virtual function of the plurality of virtual functions, the second virtual function owned by the virtual machine monitor; and a side bounce filtering agent to forward the first network packet to the second virtual function in response to first network packet being blocked by the at least one of the one or more inbound simple filter rules. 9. The system of claim 8 , wherein the second virtual function is further operable to: allow the first network packet blocked by the first simple filtering agent to enter a virtual Ethernet bridge in the virtual machine monitor, the virtual Ethernet bridge to enforce one or more complex filtering rules at a second filtering level for the first network packet, wherein at least one of the one or more complex filtering rules is capable of verifying the first network packet; and reroute the first network packet through the second virtual function to the first virtual function, in response to the first network packet being verified. 10. The system of claim 8 , wherein the network interface controller further comprises: an arbitrator to route the first network packet from the network to one of the plurality of virtual functions, and to route one or more packets received from at least one of the plurality of virtual functions to the network. 11. The system of claim 8 , further comprising: a second virtual machine; wherein the network interface controller further comprises a third virtual function of the plurality of virtual functions, the third virtual function owned by the second virtual machine. 12. The system of claim 8 , wherein each virtual function of the plurality of virtual functions comprises a queue pair to handle incoming and outgoing network packets of the plurality of network packets. 13. The system of claim 8 , further comprising: the first simple filtering agent further operable to enforce one or more outbound simple filter rules at the first filtering level for a second network packet of a plurality of network packets sent to the network, wherein at least one of the one or more outbound simple filter rules blocks the sent network packet from reaching the network in response to the sent network packet failing at least one of the one or more outbound simple filter rules; and the side bounce filtering agent further operable to forward the sent network packet to the second virtual function in response to the sent network packet being blocked by the at least one of the one or more outbound simple filter rules. 14. The system of claim 13 , further comprising: the second virtual function further operable to allow the second network packet blocked by the first simple filtering agent to enter a virtual Ethernet bridge in the virtual machine monitor, the virtual Etherne