From mboxrd@z Thu Jan 1 00:00:00 1970 From: Avi Kivity Subject: Re: [Qemu-devel] Re: [PATCH 1/5] virtio-net: Allow setting the MAC address via set_config Date: Thu, 15 Jan 2009 15:41:48 +0200 Message-ID: <496F3D1C.4020605@redhat.com> References: <1231881829.9095.191.camel@bling> <496DB8D1.2070101@redhat.com> <1231947298.7109.262.camel@lappy> <20090114164155.GA6431@shareable.org> <496E61F0.8060605@redhat.com> <20090115131249.GD32368@shareable.org> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: dlaor@redhat.com, qemu-devel@nongnu.org, Mark McLoughlin , kvm To: Jamie Lokier Return-path: Received: from mx2.redhat.com ([66.187.237.31]:35823 "EHLO mx2.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1761152AbZAONl5 (ORCPT ); Thu, 15 Jan 2009 08:41:57 -0500 In-Reply-To: <20090115131249.GD32368@shareable.org> Sender: kvm-owner@vger.kernel.org List-ID: Jamie Lokier wrote: > Dor Laor wrote: > >> What I meant is that if we allow the guest to change his mac address, it >> can deliberately >> change it to other hosts/guests mac and thus create networking problems. >> Although guest can always mangle packets, maybe it worth enforcing these >> macs for the guest. >> > > Although it can create network problems, sometimes it is also wanted. > > I think if you want to restrict the guests's ability to break the > network by changing its MAC, it would be appropriate to have an option > to completely lock down the MAC so the guest can't change its MAC at all. > I don't think locking down the MAC is very useful; the guest can still fake its IP address. If the admin wants to lock down the guest, they should use netfilter (and live with the performance hit). -- error compiling committee.c: too many arguments to function