From mboxrd@z Thu Jan 1 00:00:00 1970 From: Anthony Liguori Subject: Re: [PATCH qemu-kvm] Add raw(af_packet) network backend to qemu Date: Wed, 27 Jan 2010 08:03:19 -0600 Message-ID: <4B6047A7.2030408@codemonkey.ws> References: <1264538423.24933.144.camel@w-sridhar.beaverton.ibm.com> <4B5F5594.6080006@codemonkey.ws> <20100127092451.GC3476@redhat.com> <201001271034.35904.arnd@arndb.de> <20100127094427.GE3476@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Arnd Bergmann , Sridhar Samudrala , avi@redhat.com, markmc@redhat.com, ogerlitz@voltaire.com, kvm@vger.kernel.org, qemu-devel@vger.kernel.org To: "Michael S. Tsirkin" Return-path: Received: from mail-yw0-f173.google.com ([209.85.211.173]:61240 "EHLO mail-yw0-f173.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754015Ab0A0ODY (ORCPT ); Wed, 27 Jan 2010 09:03:24 -0500 In-Reply-To: <20100127094427.GE3476@redhat.com> Sender: kvm-owner@vger.kernel.org List-ID: On 01/27/2010 03:44 AM, Michael S. Tsirkin wrote: > On Wed, Jan 27, 2010 at 10:34:35AM +0100, Arnd Bergmann wrote: > >> On Wednesday 27 January 2010, Michael S. Tsirkin wrote: >> >>> I am not sure I agree with this sentiment. The main issue being that >>> macvtap doesn't exist on all kernels :). macvlan also requires hardware >>> support, packet socket can work with any network card in promisc mode. >>> >> To be clear, macvlan does not require hardware support, it will happily >> put cards into promiscous mode if they don't support multiple mac addresses. >> >> >>> I agree to that. People don't even seem to agree whether it's a raw >>> socket or a packet socket :) We need a better name for this option: what >>> it really does is rely on an external device to loopback a packet to us, >>> so how about -net loopback or -net extbridge? >>> >> I think -net socket,fd should just be (trivially) extended to work with raw >> sockets out of the box, with no support for opening it. Then you can have >> libvirt or some wrapper open a raw socket and a private namespace and just pass it >> down. >> > That'd work. Anthony? > What functionality are we trying to achieve? Let's be very specific about use-cases here. If it's VEPA, like you mentioned earlier, why isn't macvtap a better solution from a security perspective? The fundamental problem that I have with all of this is that we should not be introducing new network backends that are based around something only a developer is going to understand. If I'm a user and I want to use an external switch in VEPA mode, how in the world am I going to know that I'm supposed to use the -net raw backend or the -net socket backend? It might as well be the -net butterflies backend as far as a user is concerned. Networking in QEMU is already hard enough for users, we shouldn't make it worse than it already is. Regards, Anthony Liguori