From: Anthony Liguori <anthony@codemonkey.ws>
To: Sridhar Samudrala <sri@us.ibm.com>
Cc: markmc@redhat.com, kvm@vger.kernel.org,
"Michael S. Tsirkin" <mst@redhat.com>,
qemu-devel@nongnu.org, ogerlitz@voltaire.com, avi@redhat.com
Subject: Re: [Qemu-devel] Re: [PATCH qemu-kvm] Add raw(af_packet) network backend to qemu
Date: Tue, 26 Jan 2010 18:06:17 -0600 [thread overview]
Message-ID: <4B5F8379.6060607@codemonkey.ws> (raw)
In-Reply-To: <1264547735.24933.244.camel@w-sridhar.beaverton.ibm.com>
On 01/26/2010 05:15 PM, Sridhar Samudrala wrote:
> On Tue, 2010-01-26 at 14:47 -0600, Anthony Liguori wrote:
>
>> On 01/26/2010 02:40 PM, Sridhar Samudrala wrote:
>>
>>> This patch adds raw socket backend to qemu and is based on Or Gerlitz's
>>> patch re-factored and ported to the latest qemu-kvm git tree.
>>> It also includes support for vnet_hdr option that enables gso/checksum
>>> offload with raw backend. You can find the linux kernel patch to support
>>> this feature here.
>>> http://thread.gmane.org/gmane.linux.network/150308
>>>
>>> Signed-off-by: Sridhar Samudrala<sri@us.ibm.com>
>>>
>>>
>> See the previous discussion about the raw backend from Or's original
>> patch. There's no obvious reason why we should have this in addition to
>> a tun/tap backend.
>>
>> The only use-case I know of is macvlan but macvtap addresses this
>> functionality while not introduce the rather nasty security problems
>> associated with a raw backend.
>>
> The raw backend can be attached to a physical device
This is equivalent to bridging with tun/tap except that it has the
unexpected behaviour of unreliable host/guest networking (which is not
universally consistent across platforms either). This is not a mode we
want to encourage users to use.
> , macvlan
macvtap is a superior way to achieve this use case because a macvtap fd
can safely be given to a lesser privilege process without allowing
escalation of privileges.
> or SR-IOV VF.
>
This depends on vhost-net. In general, what I would like to see for
this is something more user friendly that dealt specifically with this
use-case. Although honestly, given the recent security concerns around
raw sockets, I'm very concerned about supporting raw sockets in qemu at all.
Essentially, you get worse security doing vhost-net + raw + VF then with
PCI passthrough + VF because at least in the later case you can run qemu
without privileges. CAP_NET_RAW is a very big privilege.
Regards,
Anthony Liguori
next prev parent reply other threads:[~2010-01-27 0:06 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1264538423.24933.144.camel@w-sridhar.beaverton.ibm.com>
[not found] ` <4B5F54E8.3080507@codemonkey.ws>
2010-01-26 23:15 ` [Qemu-devel] Re: [PATCH qemu-kvm] Add raw(af_packet) network backend to qemu Sridhar Samudrala
2010-01-27 0:06 ` Anthony Liguori [this message]
2010-01-27 6:52 ` Arnd Bergmann
2010-01-27 14:14 ` Anthony Liguori
[not found] ` <20100127094427.GE3476@redhat.com>
[not found] ` <4B6047A7.2030408@codemonkey.ws>
[not found] ` <201001272239.13383.arnd@arndb.de>
[not found] ` <1264632990.20320.106.camel@w-sridhar.beaverton.ibm.com>
2010-01-29 20:52 ` Sridhar Samudrala
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B5F8379.6060607@codemonkey.ws \
--to=anthony@codemonkey.ws \
--cc=avi@redhat.com \
--cc=kvm@vger.kernel.org \
--cc=markmc@redhat.com \
--cc=mst@redhat.com \
--cc=ogerlitz@voltaire.com \
--cc=qemu-devel@nongnu.org \
--cc=sri@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).