From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1N65xA-0007EN-QL
	for qemu-devel@nongnu.org; Thu, 05 Nov 2009 12:16:56 -0500
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1N65x6-0007Br-AP
	for qemu-devel@nongnu.org; Thu, 05 Nov 2009 12:16:56 -0500
Received: from [199.232.76.173] (port=48283 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1N65x6-0007Ba-67
	for qemu-devel@nongnu.org; Thu, 05 Nov 2009 12:16:52 -0500
Received: from mx1.redhat.com ([209.132.183.28]:32904)
	by monty-python.gnu.org with esmtp (Exim 4.60)
	(envelope-from <berrange@redhat.com>) id 1N65x4-0007PR-Qp
	for qemu-devel@nongnu.org; Thu, 05 Nov 2009 12:16:51 -0500
Date: Thu, 5 Nov 2009 17:16:44 +0000
From: "Daniel P. Berrange" <berrange@redhat.com>
Subject: Re: [Qemu-devel] [PATCH 0/4] net-bridge: rootless bridge support for
	qemu
Message-ID: <20091105171644.GR689@redhat.com>
References: <4AF2E247.3090409@redhat.com> <4AF2E7CE.8010506@us.ibm.com>
	<20091105151154.GF689@redhat.com> <4AF2EBBB.7070605@redhat.com>
	<4AF2F674.6080205@us.ibm.com> <4AF2FB52.2090305@redhat.com>
	<4AF2FD10.7050607@us.ibm.com> <4AF2FEE6.6000501@redhat.com>
	<20091105165318.GL689@redhat.com> <4AF30574.70607@us.ibm.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4AF30574.70607@us.ibm.com>
Reply-To: "Daniel P. Berrange" <berrange@redhat.com>
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Anthony Liguori <aliguori@us.ibm.com>
Cc: Mark McLoughlin <markmc@redhat.com>, Arnd Bergmann <arndbergmann@googlemail.com>, Juan Quintela <quintela@redhat.com>, Dustin Kirkland <kirkland@canonical.com>, qemu-devel@nongnu.org, Michael Tsirkin <mst@redhat.com>, Avi Kivity <avi@redhat.com>

On Thu, Nov 05, 2009 at 11:03:48AM -0600, Anthony Liguori wrote:
> Daniel P. Berrange wrote:
> >Indeed the hotplug  scenario is a bit of a problem in this model,
> >since libvirt needs to be able to setup iptables & ebtables rules
> >between creating the device & giving it to the guest.
> >  
> 
> But does libvirt every setup tap specific iptable or ebtable rules?

We have recently got a mode where we setup a rule against a specific TAP
device to filter non-assigned MAC, to prevent guests spoofing MAC addrs,
and will do similar for IP packets in the future.

Regards,
Daniel
-- 
|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|