Re: [Qemu-devel] [PATCH 6/7] virtio-net: Add new RX filter controls

["Daniel P. Berrange" <berrange@redhat.com>]

On Mon, Jun 08, 2009 at 02:18:04PM -0500, Anthony Liguori wrote:
> Alex Williamson wrote:
> >e1000 also allows the driver to selectively enable/disable RX of
> >packets to the broadcast address.  This is replicated with the
> >all/no-bcast options.  Finally, there may be cases where we want to
> >receive only unicast or only multicast address for special purpose
> >network devices.  This is provided by the nouni and nomulti options.
> >A proprietary guest know as DMX intends to make use of these extra
> >modes.  Are there any other interesting, useful and lightweight packet
> >filters we could implement?  Thanks,
> >  
> 
> I've been thinking about whether doing VLAN filtering/tagging within 
> QEMU would make sense.  It could potentially simplify bridge setups 
> tremendously.  Today, if you want to isolate VMs on separate vlans, it 
> involves creating multiple bridges which gets ugly quickly.

The downside of that would be that you're trusting the integrity of
QEMU for VLAN filtering. If QEMU got compromised then it could get
outside the configured VLAN, which is not possible if the VLAN stuff
is done by the kernel (assuming the QEMU process does not have the
capabilities to add itself to other bridges).

Regards,
Daniel
-- 
|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|