From: Arnd Bergmann <arnd@arndb.de>
To: Anthony Liguori <anthony@codemonkey.ws>
Cc: Sridhar Samudrala <sri@us.ibm.com>,
markmc@redhat.com, kvm@vger.kernel.org,
"Michael S. Tsirkin" <mst@redhat.com>,
qemu-devel@nongnu.org, ogerlitz@voltaire.com, avi@redhat.com
Subject: Re: [Qemu-devel] Re: [PATCH qemu-kvm] Add raw(af_packet) network backend to qemu
Date: Wed, 27 Jan 2010 07:52:06 +0100 [thread overview]
Message-ID: <201001270752.07037.arnd@arndb.de> (raw)
In-Reply-To: <4B5F8379.6060607@codemonkey.ws>
On Wednesday 27 January 2010, Anthony Liguori wrote:
> > The raw backend can be attached to a physical device
>
> This is equivalent to bridging with tun/tap except that it has the
> unexpected behaviour of unreliable host/guest networking (which is not
> universally consistent across platforms either). This is not a mode we
> want to encourage users to use.
It's not the most common scenario, but I've seen systems (I remember
one on s/390 with z/VM) where you really want to isolate the guest
network as much as possible from the host network. Besides PCI
passthrough, giving the host device to a guest using a raw socket
is the next best approximation of that.
Then again, macvtap will do that too, if the device driver supports
multiple unicast MAC addresses without forcing promiscous mode.
> > , macvlan
>
> macvtap is a superior way to achieve this use case because a macvtap fd
> can safely be given to a lesser privilege process without allowing
> escalation of privileges.
Yes.
> > or SR-IOV VF.
> >
>
> This depends on vhost-net.
Why? I don't see anything in this scenario that is vhost-net specific.
I also plan to cover this aspect in macvtap in the future, but the current
code does not do it yet. It also requires device driver changes.
> In general, what I would like to see for
> this is something more user friendly that dealt specifically with this
> use-case. Although honestly, given the recent security concerns around
> raw sockets, I'm very concerned about supporting raw sockets in qemu at all.
>
> Essentially, you get worse security doing vhost-net + raw + VF then with
> PCI passthrough + VF because at least in the later case you can run qemu
> without privileges. CAP_NET_RAW is a very big privilege.
It can be contained to a large degree with network namespaces. When you
run qemu in its own namespace and add the VF to that, CAP_NET_RAW
should ideally have no effect on other parts of the system (except
bugs in the namespace implementation).
Arnd
next prev parent reply other threads:[~2010-01-27 6:52 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-01-26 20:40 [PATCH qemu-kvm] Add raw(af_packet) network backend to qemu Sridhar Samudrala
2010-01-26 20:47 ` Anthony Liguori
2010-01-26 20:50 ` Anthony Liguori
2010-01-26 23:19 ` Sridhar Samudrala
2010-01-27 9:24 ` Michael S. Tsirkin
2010-01-27 9:34 ` Arnd Bergmann
2010-01-27 9:44 ` Michael S. Tsirkin
2010-01-27 14:03 ` Anthony Liguori
2010-01-27 21:39 ` Arnd Bergmann
2010-01-27 22:56 ` Sridhar Samudrala
2010-01-28 6:06 ` Arnd Bergmann
2010-01-28 16:53 ` Jens Osterkamp
2010-01-28 11:22 ` Or Gerlitz
2010-01-29 20:52 ` Sridhar Samudrala
2010-01-27 14:07 ` Anthony Liguori
2010-01-27 16:59 ` Michael S. Tsirkin
2010-01-27 17:07 ` Anthony Liguori
2010-01-27 17:25 ` Michael S. Tsirkin
2010-01-27 17:36 ` Anthony Liguori
2010-01-27 17:54 ` Sridhar Samudrala
2010-01-27 18:02 ` Anthony Liguori
2010-01-27 18:03 ` Michael S. Tsirkin
2010-01-27 19:54 ` Anthony Liguori
2010-01-28 8:12 ` Arnd Bergmann
2010-01-28 13:56 ` Michael S. Tsirkin
2010-01-28 14:13 ` Anthony Liguori
2010-01-28 14:39 ` Anthony Liguori
2010-01-28 14:52 ` Michael S. Tsirkin
2010-01-28 15:05 ` Anthony Liguori
2010-01-28 16:37 ` Michael S. Tsirkin
2010-01-28 17:58 ` Anthony Liguori
2010-01-28 18:04 ` Michael S. Tsirkin
2010-01-28 19:57 ` Anthony Liguori
2010-01-29 11:26 ` Michael S. Tsirkin
2010-01-28 20:29 ` Arnd Bergmann
2010-02-01 15:47 ` Or Gerlitz
2010-01-27 18:12 ` Michael S. Tsirkin
2010-01-26 23:15 ` Sridhar Samudrala
2010-01-27 0:06 ` [Qemu-devel] " Anthony Liguori
2010-01-27 6:52 ` Arnd Bergmann [this message]
2010-01-27 14:14 ` Anthony Liguori
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201001270752.07037.arnd@arndb.de \
--to=arnd@arndb.de \
--cc=anthony@codemonkey.ws \
--cc=avi@redhat.com \
--cc=kvm@vger.kernel.org \
--cc=markmc@redhat.com \
--cc=mst@redhat.com \
--cc=ogerlitz@voltaire.com \
--cc=qemu-devel@nongnu.org \
--cc=sri@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox