From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Michael S. Tsirkin" <mst@redhat.com>
Subject: Re: [PATCH qemu-kvm] Add raw(af_packet) network backend to qemu
Date: Wed, 27 Jan 2010 20:03:38 +0200
Message-ID: <20100127180338.GB13730@redhat.com>
References: <4B5F54E8.3080507@codemonkey.ws> <4B5F5594.6080006@codemonkey.ws> <20100127092451.GC3476@redhat.com> <4B60488F.5020506@codemonkey.ws> <20100127165909.GA13260@redhat.com> <4B6072E1.7030702@codemonkey.ws> <20100127172536.GD13260@redhat.com> <4B60799F.80708@codemonkey.ws> <1264614895.20320.35.camel@w-sridhar.beaverton.ibm.com> <4B607FBA.2070902@codemonkey.ws>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: Sridhar Samudrala <sri@us.ibm.com>, avi@redhat.com,
	markmc@redhat.com, ogerlitz@voltaire.com, kvm@vger.kernel.org,
	qemu-devel@vger.kernel.org
To: Anthony Liguori <anthony@codemonkey.ws>
Return-path: <kvm-owner@vger.kernel.org>
Received: from mx1.redhat.com ([209.132.183.28]:49817 "EHLO mx1.redhat.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1755851Ab0A0SGu (ORCPT <rfc822;kvm@vger.kernel.org>);
	Wed, 27 Jan 2010 13:06:50 -0500
Content-Disposition: inline
In-Reply-To: <4B607FBA.2070902@codemonkey.ws>
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>

On Wed, Jan 27, 2010 at 12:02:34PM -0600, Anthony Liguori wrote:
> On 01/27/2010 11:54 AM, Sridhar Samudrala wrote:
>> I too think that we should not block raw backend in qemu just because of
>> security reasons. It should be perfectly fine to use raw backend in
>> scenarios where qemu can be run as a privileged process.
>>
>> libvirt need not support raw backend until we figure out a secure way to
>> start qemu when passing raw fd. using network namespaces seems like a
>> good option.
>>    
>
> Introducing something that is known to be problematic from a security  
> perspective without any clear idea of what the use-case for it is is a  
> bad idea IMHO.

vepa on existing kernels is one use-case.

> Regards,
>
> Anthony Liguori
>
>> Thanks
>> Sridhar
>>
>>