From: Anthony Liguori <anthony@codemonkey.ws>
To: Sridhar Samudrala <sri@us.ibm.com>
Cc: markmc@redhat.com, kvm@vger.kernel.org,
"Michael S. Tsirkin" <mst@redhat.com>,
qemu-devel@nongnu.org, ogerlitz@voltaire.com, avi@redhat.com
Subject: Re: [Qemu-devel] Re: [PATCH qemu-kvm] Add raw(af_packet) network backend to qemu
Date: Tue, 26 Jan 2010 18:06:17 -0600 [thread overview]
Message-ID: <4B5F8379.6060607@codemonkey.ws> (raw)
In-Reply-To: <1264547735.24933.244.camel@w-sridhar.beaverton.ibm.com>
On 01/26/2010 05:15 PM, Sridhar Samudrala wrote:
> On Tue, 2010-01-26 at 14:47 -0600, Anthony Liguori wrote:
>
>> On 01/26/2010 02:40 PM, Sridhar Samudrala wrote:
>>
>>> This patch adds raw socket backend to qemu and is based on Or Gerlitz's
>>> patch re-factored and ported to the latest qemu-kvm git tree.
>>> It also includes support for vnet_hdr option that enables gso/checksum
>>> offload with raw backend. You can find the linux kernel patch to support
>>> this feature here.
>>> http://thread.gmane.org/gmane.linux.network/150308
>>>
>>> Signed-off-by: Sridhar Samudrala<sri@us.ibm.com>
>>>
>>>
>> See the previous discussion about the raw backend from Or's original
>> patch. There's no obvious reason why we should have this in addition to
>> a tun/tap backend.
>>
>> The only use-case I know of is macvlan but macvtap addresses this
>> functionality while not introduce the rather nasty security problems
>> associated with a raw backend.
>>
> The raw backend can be attached to a physical device
This is equivalent to bridging with tun/tap except that it has the
unexpected behaviour of unreliable host/guest networking (which is not
universally consistent across platforms either). This is not a mode we
want to encourage users to use.
> , macvlan
macvtap is a superior way to achieve this use case because a macvtap fd
can safely be given to a lesser privilege process without allowing
escalation of privileges.
> or SR-IOV VF.
>
This depends on vhost-net. In general, what I would like to see for
this is something more user friendly that dealt specifically with this
use-case. Although honestly, given the recent security concerns around
raw sockets, I'm very concerned about supporting raw sockets in qemu at all.
Essentially, you get worse security doing vhost-net + raw + VF then with
PCI passthrough + VF because at least in the later case you can run qemu
without privileges. CAP_NET_RAW is a very big privilege.
Regards,
Anthony Liguori
next prev parent reply other threads:[~2010-01-27 0:06 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-01-26 20:40 [PATCH qemu-kvm] Add raw(af_packet) network backend to qemu Sridhar Samudrala
2010-01-26 20:47 ` Anthony Liguori
2010-01-26 20:50 ` Anthony Liguori
2010-01-26 23:19 ` Sridhar Samudrala
2010-01-27 9:24 ` Michael S. Tsirkin
2010-01-27 9:34 ` Arnd Bergmann
2010-01-27 9:44 ` Michael S. Tsirkin
2010-01-27 14:03 ` Anthony Liguori
2010-01-27 21:39 ` Arnd Bergmann
2010-01-27 22:56 ` Sridhar Samudrala
2010-01-28 6:06 ` Arnd Bergmann
2010-01-28 16:53 ` Jens Osterkamp
2010-01-28 11:22 ` Or Gerlitz
2010-01-29 20:52 ` Sridhar Samudrala
2010-01-29 20:52 ` [Qemu-devel] " Sridhar Samudrala
2010-01-27 14:07 ` Anthony Liguori
2010-01-27 16:59 ` Michael S. Tsirkin
2010-01-27 17:07 ` Anthony Liguori
2010-01-27 17:25 ` Michael S. Tsirkin
2010-01-27 17:36 ` Anthony Liguori
2010-01-27 17:54 ` Sridhar Samudrala
2010-01-27 18:02 ` Anthony Liguori
2010-01-27 18:03 ` Michael S. Tsirkin
2010-01-27 19:54 ` Anthony Liguori
2010-01-28 8:12 ` Arnd Bergmann
2010-01-28 13:56 ` Michael S. Tsirkin
2010-01-28 14:13 ` Anthony Liguori
2010-01-28 14:39 ` Anthony Liguori
2010-01-28 14:52 ` Michael S. Tsirkin
2010-01-28 15:05 ` Anthony Liguori
2010-01-28 16:37 ` Michael S. Tsirkin
2010-01-28 17:58 ` Anthony Liguori
2010-01-28 18:04 ` Michael S. Tsirkin
2010-01-28 19:57 ` Anthony Liguori
2010-01-29 11:26 ` Michael S. Tsirkin
2010-01-28 20:29 ` Arnd Bergmann
2010-02-01 15:47 ` Or Gerlitz
2010-01-27 18:12 ` Michael S. Tsirkin
2010-01-26 23:15 ` Sridhar Samudrala
2010-01-26 23:15 ` [Qemu-devel] " Sridhar Samudrala
2010-01-27 0:06 ` Anthony Liguori [this message]
2010-01-27 6:52 ` Arnd Bergmann
2010-01-27 6:52 ` Arnd Bergmann
2010-01-27 14:14 ` Anthony Liguori
2010-01-27 14:14 ` Anthony Liguori
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B5F8379.6060607@codemonkey.ws \
--to=anthony@codemonkey.ws \
--cc=avi@redhat.com \
--cc=kvm@vger.kernel.org \
--cc=markmc@redhat.com \
--cc=mst@redhat.com \
--cc=ogerlitz@voltaire.com \
--cc=qemu-devel@nongnu.org \
--cc=sri@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.