From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1N73YS-00013s-Ie
	for qemu-devel@nongnu.org; Sun, 08 Nov 2009 03:55:24 -0500
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1N73YO-000124-3j
	for qemu-devel@nongnu.org; Sun, 08 Nov 2009 03:55:24 -0500
Received: from [199.232.76.173] (port=53991 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1N73YN-000121-V1
	for qemu-devel@nongnu.org; Sun, 08 Nov 2009 03:55:19 -0500
Received: from mx1.redhat.com ([209.132.183.28]:28454)
	by monty-python.gnu.org with esmtp (Exim 4.60)
	(envelope-from <avi@redhat.com>) id 1N73YN-0001GZ-G9
	for qemu-devel@nongnu.org; Sun, 08 Nov 2009 03:55:19 -0500
Message-ID: <4AF68767.4080707@redhat.com>
Date: Sun, 08 Nov 2009 10:55:03 +0200
From: Avi Kivity <avi@redhat.com>
MIME-Version: 1.0
Subject: Re: [Qemu-devel] [PATCH 4/4] Add support for -net bridge
References: <1257294485-27015-1-git-send-email-aliguori@us.ibm.com>
	<4AF5F0A2.8050309@codemonkey.ws> <4AF680FD.5050101@redhat.com>
	<200911080843.25648.arnd@arndb.de>
In-Reply-To: <200911080843.25648.arnd@arndb.de>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Arnd Bergmann <arnd@arndb.de>
Cc: Mark McLoughlin <markmc@redhat.com>, Anthony Liguori <aliguori@us.ibm.com>, Arnd Bergmann <arndbergmann@googlemail.com>, Michael Tsirkin <mst@redhat.com>, Dustin Kirkland <kirkland@canonical.com>, qemu-devel@nongnu.org, Juan Quintela <quintela@redhat.com>, David Woodhouse <dwmw2@infradead.org>

On 11/08/2009 10:43 AM, Arnd Bergmann wrote:
>> btw, shouldn't we, in the general case, create a bridge per user and use
>> IP NAT?  If we have a global bridge, users can spoof each other's MAC
>> addresses and interfere with their virtual machines.  They can also
>> interfere with the real network.
>>
>> That's not a concern with most one-user-per-machine configurations, but
>> the default configuration should be safe.
>>      
> It also depends a lot on what you want to do with the virtual machine.
> If you want to run a game or a legacy application in a different operating
> system on your desktop, a NATed bridge is ideal, but it does not work
> on a server if the guest wants to listen on a socket with its own IP address.
>    

Yes.  It also depends on what the system administrator wants you to be 
able to do.  On desktop machines you are usually the system 
administrator so there is no problem.  But we should beware of making it 
easy to subvert security.

There is also the problem of accidental MAC overlap - qemu uses the same 
MAC address for all virtual machines unless overridden, so if two users 
create a virtual machine without specifying MAC addresses they will 
trample each other.  A single user could also have trouble launching two 
guests; that's not a security problem, but will lead to a lot of 
annoyance and false bug reports ("networking dies as soon as I launch a 
second guest").

-- 
error compiling committee.c: too many arguments to function