From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1LOUAn-0003mt-G8
	for qemu-devel@nongnu.org; Sun, 18 Jan 2009 04:42:29 -0500
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1LOUAm-0003mW-J7
	for qemu-devel@nongnu.org; Sun, 18 Jan 2009 04:42:28 -0500
Received: from [199.232.76.173] (port=43147 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1LOUAm-0003mP-88
	for qemu-devel@nongnu.org; Sun, 18 Jan 2009 04:42:28 -0500
Received: from mx2.redhat.com ([66.187.237.31]:35745)
	by monty-python.gnu.org with esmtp (Exim 4.60)
	(envelope-from <avi@redhat.com>) id 1LOUAl-0003JS-FI
	for qemu-devel@nongnu.org; Sun, 18 Jan 2009 04:42:27 -0500
Message-ID: <4972F980.7080806@redhat.com>
Date: Sun, 18 Jan 2009 11:42:24 +0200
From: Avi Kivity <avi@redhat.com>
MIME-Version: 1.0
Subject: Re: [Qemu-devel] Re: [PATCH 1/5] virtio-net: Allow setting the MAC
	address via set_config
References: <1231881829.9095.191.camel@bling>	<496DB8D1.2070101@redhat.com>	<1231947298.7109.262.camel@lappy>	<20090114164155.GA6431@shareable.org>	<496E61F0.8060605@redhat.com>	<20090115131249.GD32368@shareable.org>
	<4972F850.50408@redhat.com>
In-Reply-To: <4972F850.50408@redhat.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Reply-To: qemu-devel@nongnu.org
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: dlaor@redhat.com, qemu-devel@nongnu.org
Cc: Mark McLoughlin <markmc@redhat.com>, kvm <kvm@vger.kernel.org>

Dor Laor wrote:
> Jamie Lokier wrote:
>> Dor Laor wrote:
>>  
>>> What I meant is that if we allow the guest to change his mac 
>>> address, it can deliberately
>>> change it to other hosts/guests mac and thus create networking 
>>> problems.
>>> Although guest can always mangle packets, maybe it worth enforcing 
>>> these macs for the guest.
>>>     
>>
>> Although it can create network problems, sometimes it is also wanted.
>>
>> I think if you want to restrict the guests's ability to break the
>> network by changing its MAC, it would be appropriate to have an option
>> to completely lock down the MAC so the guest can't change its MAC at 
>> all.
>>
>>   
> That's what I was shooting to.
> One example this can be helpful is when kvm is used to run virtual 
> servers in a computing
> farm like Amazon. You wouldn't like a VM owner to mess your network.

Restricting the MAC address won't help.  The guest can still forge the 
link layer address and/or the IP layer addresses.

This needs to be addressed by netfilter.

-- 
error compiling committee.c: too many arguments to function