From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1N737y-0005gE-HV
	for qemu-devel@nongnu.org; Sun, 08 Nov 2009 03:28:02 -0500
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1N737t-0005cB-HO
	for qemu-devel@nongnu.org; Sun, 08 Nov 2009 03:28:02 -0500
Received: from [199.232.76.173] (port=50466 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1N737t-0005c0-BP
	for qemu-devel@nongnu.org; Sun, 08 Nov 2009 03:27:57 -0500
Received: from mx1.redhat.com ([209.132.183.28]:39535)
	by monty-python.gnu.org with esmtp (Exim 4.60)
	(envelope-from <avi@redhat.com>) id 1N737s-0004pT-Rr
	for qemu-devel@nongnu.org; Sun, 08 Nov 2009 03:27:57 -0500
Message-ID: <4AF680FD.5050101@redhat.com>
Date: Sun, 08 Nov 2009 10:27:41 +0200
From: Avi Kivity <avi@redhat.com>
MIME-Version: 1.0
Subject: Re: [Qemu-devel] [PATCH 4/4] Add support for -net bridge
References: <1257294485-27015-1-git-send-email-aliguori@us.ibm.com>	<1257294485-27015-5-git-send-email-aliguori@us.ibm.com>	<1257614967.30774.424.camel@macbook.infradead.org>
	<4AF5F0A2.8050309@codemonkey.ws>
In-Reply-To: <4AF5F0A2.8050309@codemonkey.ws>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Anthony Liguori <anthony@codemonkey.ws>
Cc: Mark McLoughlin <markmc@redhat.com>, Anthony Liguori <aliguori@us.ibm.com>, Arnd Bergmann <arndbergmann@googlemail.com>, Michael Tsirkin <mst@redhat.com>, Dustin Kirkland <kirkland@canonical.com>, qemu-devel@nongnu.org, Juan Quintela <quintela@redhat.com>, David Woodhouse <dwmw2@infradead.org>

On 11/08/2009 12:11 AM, Anthony Liguori wrote:
>
>>  You don't need root privileges to use a tap device.
>
> You can access a preconfigured tap device but you cannot allocate a 
> tap device and connect it to a bridge without CAP_NET_ADMIN.

btw, shouldn't we, in the general case, create a bridge per user and use 
IP NAT?  If we have a global bridge, users can spoof each other's MAC 
addresses and interfere with their virtual machines.  They can also 
interfere with the real network.

That's not a concern with most one-user-per-machine configurations, but 
the default configuration should be safe.


-- 
error compiling committee.c: too many arguments to function