From mboxrd@z Thu Jan 1 00:00:00 1970 From: Lucas Meneghel Rodrigues Subject: Re: [PATCH] KVM-test: Add a new test: privacy test Date: Tue, 15 Mar 2011 01:29:43 -0300 Message-ID: <1300163383.2705.27.camel@freedom> References: <20110228112038.5878.38791.stgit@t115> <20110228113228.GG28006@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit Cc: Amos Kong , autotest@test.kernel.org, kvm@vger.kernel.org To: "Michael S. Tsirkin" Return-path: Received: from mx1.redhat.com ([209.132.183.28]:53229 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750736Ab1COE3s (ORCPT ); Tue, 15 Mar 2011 00:29:48 -0400 In-Reply-To: <20110228113228.GG28006@redhat.com> Sender: kvm-owner@vger.kernel.org List-ID: On Mon, 2011-02-28 at 13:32 +0200, Michael S. Tsirkin wrote: > On Mon, Feb 28, 2011 at 07:20:38PM +0800, Amos Kong wrote: > > Communicate between two vms, and try to capture packages from another vm in > > the same lan. > > This test used tcpdump, so we need limit it with Linux guests. > > > > Signed-off-by: Amos Kong > > I don't think there's any such privacy guarantee for a plain > bridged setup: the bridge might flood packets to > all endpoints sometimes, and rx mac address filters > even if present are guest controllable so they represent > a performance optimization, not a privacy guarantee. > > This is analogous to a physical shared lan: any box can > enable promisc mode and snoop on packets. > > You need vlans, or netfilter, or some other filtering > if you want to enforce privacy. Amos, per Michael's comments, perhaps we should put vm1 and vm2 on a vlan and vm3 on a different vlan to have a more valid packet privacy testing? I'll refrain from adding this test to the upstream tree until we have a more satisfactory test/solution.