From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1N6EGB-0006d8-Ew
	for qemu-devel@nongnu.org; Thu, 05 Nov 2009 21:09:07 -0500
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1N6EG6-0006T4-3t
	for qemu-devel@nongnu.org; Thu, 05 Nov 2009 21:09:06 -0500
Received: from [199.232.76.173] (port=47981 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1N6EG5-0006Sw-T9
	for qemu-devel@nongnu.org; Thu, 05 Nov 2009 21:09:01 -0500
Received: from mx20.gnu.org ([199.232.41.8]:14400)
	by monty-python.gnu.org with esmtps (TLS-1.0:RSA_AES_256_CBC_SHA1:32)
	(Exim 4.60) (envelope-from <jamie@shareable.org>) id 1N6EG5-0008Rc-Gx
	for qemu-devel@nongnu.org; Thu, 05 Nov 2009 21:09:01 -0500
Received: from mail2.shareable.org ([80.68.89.115])
	by mx20.gnu.org with esmtp (Exim 4.60)
	(envelope-from <jamie@shareable.org>) id 1N6EG4-0006GM-VJ
	for qemu-devel@nongnu.org; Thu, 05 Nov 2009 21:09:01 -0500
Date: Fri, 6 Nov 2009 02:08:52 +0000
From: Jamie Lokier <jamie@shareable.org>
Subject: Re: [Qemu-devel] [PATCH 0/4] net-bridge: rootless bridge support for
	qemu
Message-ID: <20091106020852.GI21630@shareable.org>
References: <4AF2E7CE.8010506@us.ibm.com> <20091105151154.GF689@redhat.com>
	<4AF2EBBB.7070605@redhat.com> <4AF2F674.6080205@us.ibm.com>
	<4AF2FB52.2090305@redhat.com> <4AF2FD10.7050607@us.ibm.com>
	<4AF2FEE6.6000501@redhat.com> <20091105165318.GL689@redhat.com>
	<4AF30574.70607@us.ibm.com> <20091105171644.GR689@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20091105171644.GR689@redhat.com>
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: "Daniel P. Berrange" <berrange@redhat.com>
Cc: Mark McLoughlin <markmc@redhat.com>, Anthony Liguori <aliguori@us.ibm.com>, Arnd Bergmann <arndbergmann@googlemail.com>, Dustin Kirkland <kirkland@canonical.com>, Juan Quintela <quintela@redhat.com>, qemu-devel@nongnu.org, Michael Tsirkin <mst@redhat.com>, Avi Kivity <avi@redhat.com>

Daniel P. Berrange wrote:
> On Thu, Nov 05, 2009 at 11:03:48AM -0600, Anthony Liguori wrote:
> > Daniel P. Berrange wrote:
> > >Indeed the hotplug  scenario is a bit of a problem in this model,
> > >since libvirt needs to be able to setup iptables & ebtables rules
> > >between creating the device & giving it to the guest.
> > >  
> > 
> > But does libvirt every setup tap specific iptable or ebtable rules?
> 
> We have recently got a mode where we setup a rule against a specific TAP
> device to filter non-assigned MAC, to prevent guests spoofing MAC addrs,
> and will do similar for IP packets in the future.

It's a good idea, but it can be difficult to update iptables rules on
a general system which has lots of other iptables rules as well.  How
do you handle that?

Btw, my approach to filtering & spoof avoidance, for some VMs which
don't need to be bridged, has been to avoid bridging, put the VMs on
their own private subnet inside the host, and used iptables NAT to
route them.

That blocks things like mDNS, Windows Network Neighbourhood discovery
and so on, but for some VMs that doesn't matter or is even preferable,
to provide better isolation.

-- Jamie