From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1LNSTs-0004Xj-Vk
	for qemu-devel@nongnu.org; Thu, 15 Jan 2009 08:41:57 -0500
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1LNSTq-0004W3-Ei
	for qemu-devel@nongnu.org; Thu, 15 Jan 2009 08:41:55 -0500
Received: from [199.232.76.173] (port=48944 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1LNSTo-0004VO-NV
	for qemu-devel@nongnu.org; Thu, 15 Jan 2009 08:41:53 -0500
Received: from mx2.redhat.com ([66.187.237.31]:41458)
	by monty-python.gnu.org with esmtp (Exim 4.60)
	(envelope-from <avi@redhat.com>) id 1LNSTo-00050u-9c
	for qemu-devel@nongnu.org; Thu, 15 Jan 2009 08:41:52 -0500
Message-ID: <496F3D1C.4020605@redhat.com>
Date: Thu, 15 Jan 2009 15:41:48 +0200
From: Avi Kivity <avi@redhat.com>
MIME-Version: 1.0
Subject: Re: [Qemu-devel] Re: [PATCH 1/5] virtio-net: Allow setting the MAC
	address via set_config
References: <1231881829.9095.191.camel@bling> <496DB8D1.2070101@redhat.com>
	<1231947298.7109.262.camel@lappy>
	<20090114164155.GA6431@shareable.org> <496E61F0.8060605@redhat.com>
	<20090115131249.GD32368@shareable.org>
In-Reply-To: <20090115131249.GD32368@shareable.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Reply-To: qemu-devel@nongnu.org
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Jamie Lokier <jamie@shareable.org>
Cc: Mark McLoughlin <markmc@redhat.com>, dlaor@redhat.com, qemu-devel@nongnu.org, kvm <kvm@vger.kernel.org>

Jamie Lokier wrote:
> Dor Laor wrote:
>   
>> What I meant is that if we allow the guest to change his mac address, it 
>> can deliberately
>> change it to other hosts/guests mac and thus create networking problems.
>> Although guest can always mangle packets, maybe it worth enforcing these 
>> macs for the guest.
>>     
>
> Although it can create network problems, sometimes it is also wanted.
>
> I think if you want to restrict the guests's ability to break the
> network by changing its MAC, it would be appropriate to have an option
> to completely lock down the MAC so the guest can't change its MAC at all.
>   

I don't think locking down the MAC is very useful; the guest can still 
fake its IP address.

If the admin wants to lock down the guest, they should use netfilter 
(and live with the performance hit).

-- 
error compiling committee.c: too many arguments to function