From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1N64jm-0001Oe-NL for qemu-devel@nongnu.org; Thu, 05 Nov 2009 10:59:02 -0500 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1N64jh-0001Ie-US for qemu-devel@nongnu.org; Thu, 05 Nov 2009 10:59:02 -0500 Received: from [199.232.76.173] (port=42127 helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1N64jh-0001IR-P8 for qemu-devel@nongnu.org; Thu, 05 Nov 2009 10:58:57 -0500 Received: from e2.ny.us.ibm.com ([32.97.182.142]:35826) by monty-python.gnu.org with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.60) (envelope-from ) id 1N64jg-0004C5-Uk for qemu-devel@nongnu.org; Thu, 05 Nov 2009 10:58:57 -0500 Received: from d01relay01.pok.ibm.com (d01relay01.pok.ibm.com [9.56.227.233]) by e2.ny.us.ibm.com (8.14.3/8.13.1) with ESMTP id nA5FpDDx024151 for ; Thu, 5 Nov 2009 10:51:13 -0500 Received: from d01av01.pok.ibm.com (d01av01.pok.ibm.com [9.56.224.215]) by d01relay01.pok.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id nA5FwtwV071698 for ; Thu, 5 Nov 2009 10:58:55 -0500 Received: from d01av01.pok.ibm.com (loopback [127.0.0.1]) by d01av01.pok.ibm.com (8.14.3/8.13.1/NCO v10.0 AVout) with ESMTP id nA5FwsvY020195 for ; Thu, 5 Nov 2009 10:58:54 -0500 Message-ID: <4AF2F63C.6060204@us.ibm.com> Date: Thu, 05 Nov 2009 09:58:52 -0600 From: Anthony Liguori MIME-Version: 1.0 Subject: Re: [Qemu-devel] [PATCH 0/4] net-bridge: rootless bridge support for qemu References: <1257294485-27015-1-git-send-email-aliguori@us.ibm.com> <4AF2E247.3090409@redhat.com> <4AF2E7CE.8010506@us.ibm.com> <4AF2EB17.8090202@redhat.com> <4AF2F04B.8050105@redhat.com> In-Reply-To: <4AF2F04B.8050105@redhat.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Avi Kivity Cc: Mark McLoughlin , Arnd Bergmann , Dustin Kirkland , Juan Quintela , qemu-devel@nongnu.org, Michael Tsirkin Avi Kivity wrote: > On 11/05/2009 05:11 PM, Avi Kivity wrote: >> But we're forcing our style of security management on them. How to >> store permissions is the management system's job (and for a clu^Houd, >> it will typically be stored in a central database, not be scattered >> around /etc). >> >> Again, IMO we should stick to making a guest work, and leave all the >> glue to management. >> > > As an example of why this is so, if the management stack wants to > configure the tap interface further (say, add some ebtables rules > guarding the new interface) it must push this into qemu or stop using > -net bridge. If you wanted to set rules based on the tap device itself, then yes. But I think the more common case (honestly, the only case I've seen so far) is where the rules are set on the bridge itself. > Having the tap accessible to management also allows it to run tcpdump > or collect statistics on it at runtime. I'm not advocating removing -net tap,fd=. But -net bridge is obviously useful and makes writing management tools that do common things easier. Not doing something that helps management tools and command line users tremendously simply because it's possible to do it another way for management tools (but not for command line users) is almost user hostile. -- Regards, Anthony Liguori