All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH 1/5] virtio-net: Allow setting the MAC address via set_config
@ 2009-01-13 21:23 ` Alex Williamson
  0 siblings, 0 replies; 18+ messages in thread
From: Alex Williamson @ 2009-01-13 21:23 UTC (permalink / raw)
  To: kvm; +Cc: qemu-devel, Mark McLoughlin


Rename get_config for simplicity

Signed-off-by: Alex Williamson <alex.williamson@hp.com>
---

 qemu/hw/virtio-net.c |   18 ++++++++++++++++--
 1 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/qemu/hw/virtio-net.c b/qemu/hw/virtio-net.c
index 1f9dc16..e9b3d46 100644
--- a/qemu/hw/virtio-net.c
+++ b/qemu/hw/virtio-net.c
@@ -42,7 +42,7 @@ static VirtIONet *to_virtio_net(VirtIODevice *vdev)
     return (VirtIONet *)vdev;
 }
 
-static void virtio_net_update_config(VirtIODevice *vdev, uint8_t *config)
+static void virtio_net_get_config(VirtIODevice *vdev, uint8_t *config)
 {
     VirtIONet *n = to_virtio_net(vdev);
     struct virtio_net_config netcfg;
@@ -51,6 +51,19 @@ static void virtio_net_update_config(VirtIODevice *vdev, uint8_t *config)
     memcpy(config, &netcfg, sizeof(netcfg));
 }
 
+static void virtio_net_set_config(VirtIODevice *vdev, const uint8_t *config)
+{
+    VirtIONet *n = to_virtio_net(vdev);
+    struct virtio_net_config netcfg;
+
+    memcpy(&netcfg, config, sizeof(netcfg));
+
+    if (memcmp(netcfg.mac, n->mac, 6)) {
+        memcpy(n->mac, netcfg.mac, 6);
+        qemu_format_nic_info_str(n->vc, n->mac);
+    }
+}
+
 static uint32_t virtio_net_get_features(VirtIODevice *vdev)
 {
     uint32_t features = (1 << VIRTIO_NET_F_MAC);
@@ -405,7 +418,8 @@ PCIDevice *virtio_net_init(PCIBus *bus, NICInfo *nd, int devfn)
     if (!n)
         return NULL;
 
-    n->vdev.get_config = virtio_net_update_config;
+    n->vdev.get_config = virtio_net_get_config;
+    n->vdev.set_config = virtio_net_set_config;
     n->vdev.get_features = virtio_net_get_features;
     n->vdev.set_features = virtio_net_set_features;
     n->rx_vq = virtio_add_queue(&n->vdev, 256, virtio_net_handle_rx);



^ permalink raw reply related	[flat|nested] 18+ messages in thread

* [Qemu-devel] [PATCH 1/5] virtio-net: Allow setting the MAC address via set_config
@ 2009-01-13 21:23 ` Alex Williamson
  0 siblings, 0 replies; 18+ messages in thread
From: Alex Williamson @ 2009-01-13 21:23 UTC (permalink / raw)
  To: kvm; +Cc: Mark McLoughlin, qemu-devel


Rename get_config for simplicity

Signed-off-by: Alex Williamson <alex.williamson@hp.com>
---

 qemu/hw/virtio-net.c |   18 ++++++++++++++++--
 1 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/qemu/hw/virtio-net.c b/qemu/hw/virtio-net.c
index 1f9dc16..e9b3d46 100644
--- a/qemu/hw/virtio-net.c
+++ b/qemu/hw/virtio-net.c
@@ -42,7 +42,7 @@ static VirtIONet *to_virtio_net(VirtIODevice *vdev)
     return (VirtIONet *)vdev;
 }
 
-static void virtio_net_update_config(VirtIODevice *vdev, uint8_t *config)
+static void virtio_net_get_config(VirtIODevice *vdev, uint8_t *config)
 {
     VirtIONet *n = to_virtio_net(vdev);
     struct virtio_net_config netcfg;
@@ -51,6 +51,19 @@ static void virtio_net_update_config(VirtIODevice *vdev, uint8_t *config)
     memcpy(config, &netcfg, sizeof(netcfg));
 }
 
+static void virtio_net_set_config(VirtIODevice *vdev, const uint8_t *config)
+{
+    VirtIONet *n = to_virtio_net(vdev);
+    struct virtio_net_config netcfg;
+
+    memcpy(&netcfg, config, sizeof(netcfg));
+
+    if (memcmp(netcfg.mac, n->mac, 6)) {
+        memcpy(n->mac, netcfg.mac, 6);
+        qemu_format_nic_info_str(n->vc, n->mac);
+    }
+}
+
 static uint32_t virtio_net_get_features(VirtIODevice *vdev)
 {
     uint32_t features = (1 << VIRTIO_NET_F_MAC);
@@ -405,7 +418,8 @@ PCIDevice *virtio_net_init(PCIBus *bus, NICInfo *nd, int devfn)
     if (!n)
         return NULL;
 
-    n->vdev.get_config = virtio_net_update_config;
+    n->vdev.get_config = virtio_net_get_config;
+    n->vdev.set_config = virtio_net_set_config;
     n->vdev.get_features = virtio_net_get_features;
     n->vdev.set_features = virtio_net_set_features;
     n->rx_vq = virtio_add_queue(&n->vdev, 256, virtio_net_handle_rx);

^ permalink raw reply related	[flat|nested] 18+ messages in thread

* Re: [PATCH 1/5] virtio-net: Allow setting the MAC address via set_config
  2009-01-13 21:23 ` [Qemu-devel] " Alex Williamson
@ 2009-01-14 10:05   ` Dor Laor
  -1 siblings, 0 replies; 18+ messages in thread
From: Dor Laor @ 2009-01-14 10:05 UTC (permalink / raw)
  To: Alex Williamson; +Cc: kvm, qemu-devel, Mark McLoughlin

Alex Williamson wrote:
> Rename get_config for simplicity
>
> Signed-off-by: Alex Williamson <alex.williamson@hp.com>
> ---
>
>  qemu/hw/virtio-net.c |   18 ++++++++++++++++--
>  1 files changed, 16 insertions(+), 2 deletions(-)
>
> diff --git a/qemu/hw/virtio-net.c b/qemu/hw/virtio-net.c
> index 1f9dc16..e9b3d46 100644
> --- a/qemu/hw/virtio-net.c
> +++ b/qemu/hw/virtio-net.c
> @@ -42,7 +42,7 @@ static VirtIONet *to_virtio_net(VirtIODevice *vdev)
>      return (VirtIONet *)vdev;
>  }
>  
> -static void virtio_net_update_config(VirtIODevice *vdev, uint8_t *config)
> +static void virtio_net_get_config(VirtIODevice *vdev, uint8_t *config)
>  {
>      VirtIONet *n = to_virtio_net(vdev);
>      struct virtio_net_config netcfg;
> @@ -51,6 +51,19 @@ static void virtio_net_update_config(VirtIODevice *vdev, uint8_t *config)
>      memcpy(config, &netcfg, sizeof(netcfg));
>  }
>  
> +static void virtio_net_set_config(VirtIODevice *vdev, const uint8_t *config)
> +{
> +    VirtIONet *n = to_virtio_net(vdev);
> +    struct virtio_net_config netcfg;
> +
> +    memcpy(&netcfg, config, sizeof(netcfg));
> +
> +    if (memcmp(netcfg.mac, n->mac, 6)) {
> +        memcpy(n->mac, netcfg.mac, 6);
> +        qemu_format_nic_info_str(n->vc, n->mac);
> +    }
> +}
> +
>   

What if the guest will chose the host's mac?
Thinking about it, I don't think we should test that.
A concerned host mgmt app can add ebtables roles for such a case.

Maybe we can optionally allow/deny it?

^ permalink raw reply	[flat|nested] 18+ messages in thread

* [Qemu-devel] Re: [PATCH 1/5] virtio-net: Allow setting the MAC address via set_config
@ 2009-01-14 10:05   ` Dor Laor
  0 siblings, 0 replies; 18+ messages in thread
From: Dor Laor @ 2009-01-14 10:05 UTC (permalink / raw)
  To: Alex Williamson; +Cc: Mark McLoughlin, qemu-devel, kvm

Alex Williamson wrote:
> Rename get_config for simplicity
>
> Signed-off-by: Alex Williamson <alex.williamson@hp.com>
> ---
>
>  qemu/hw/virtio-net.c |   18 ++++++++++++++++--
>  1 files changed, 16 insertions(+), 2 deletions(-)
>
> diff --git a/qemu/hw/virtio-net.c b/qemu/hw/virtio-net.c
> index 1f9dc16..e9b3d46 100644
> --- a/qemu/hw/virtio-net.c
> +++ b/qemu/hw/virtio-net.c
> @@ -42,7 +42,7 @@ static VirtIONet *to_virtio_net(VirtIODevice *vdev)
>      return (VirtIONet *)vdev;
>  }
>  
> -static void virtio_net_update_config(VirtIODevice *vdev, uint8_t *config)
> +static void virtio_net_get_config(VirtIODevice *vdev, uint8_t *config)
>  {
>      VirtIONet *n = to_virtio_net(vdev);
>      struct virtio_net_config netcfg;
> @@ -51,6 +51,19 @@ static void virtio_net_update_config(VirtIODevice *vdev, uint8_t *config)
>      memcpy(config, &netcfg, sizeof(netcfg));
>  }
>  
> +static void virtio_net_set_config(VirtIODevice *vdev, const uint8_t *config)
> +{
> +    VirtIONet *n = to_virtio_net(vdev);
> +    struct virtio_net_config netcfg;
> +
> +    memcpy(&netcfg, config, sizeof(netcfg));
> +
> +    if (memcmp(netcfg.mac, n->mac, 6)) {
> +        memcpy(n->mac, netcfg.mac, 6);
> +        qemu_format_nic_info_str(n->vc, n->mac);
> +    }
> +}
> +
>   

What if the guest will chose the host's mac?
Thinking about it, I don't think we should test that.
A concerned host mgmt app can add ebtables roles for such a case.

Maybe we can optionally allow/deny it?

^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: [PATCH 1/5] virtio-net: Allow setting the MAC address via set_config
  2009-01-14 10:05   ` [Qemu-devel] " Dor Laor
@ 2009-01-14 15:34     ` Alex Williamson
  -1 siblings, 0 replies; 18+ messages in thread
From: Alex Williamson @ 2009-01-14 15:34 UTC (permalink / raw)
  To: dlaor; +Cc: kvm, qemu-devel, Mark McLoughlin

On Wed, 2009-01-14 at 12:05 +0200, Dor Laor wrote:
> Alex Williamson wrote:  
> > +static void virtio_net_set_config(VirtIODevice *vdev, const uint8_t *config)
> > +{
> > +    VirtIONet *n = to_virtio_net(vdev);
> > +    struct virtio_net_config netcfg;
> > +
> > +    memcpy(&netcfg, config, sizeof(netcfg));
> > +
> > +    if (memcmp(netcfg.mac, n->mac, 6)) {
> > +        memcpy(n->mac, netcfg.mac, 6);
> > +        qemu_format_nic_info_str(n->vc, n->mac);
> > +    }
> > +}
> > +
> >   
> 
> What if the guest will chose the host's mac?
> Thinking about it, I don't think we should test that.
> A concerned host mgmt app can add ebtables roles for such a case.
> 
> Maybe we can optionally allow/deny it?

What's the topology you're thinking of that the virtio-net MAC is also
the host MAC?  I typically use a bridge with a tap device, so the
virtio-net MAC is isolated from the host.  Thanks,

Alex


-- 
Alex Williamson                             HP Open Source & Linux Org.


^ permalink raw reply	[flat|nested] 18+ messages in thread

* [Qemu-devel] Re: [PATCH 1/5] virtio-net: Allow setting the MAC address via set_config
@ 2009-01-14 15:34     ` Alex Williamson
  0 siblings, 0 replies; 18+ messages in thread
From: Alex Williamson @ 2009-01-14 15:34 UTC (permalink / raw)
  To: dlaor; +Cc: Mark McLoughlin, qemu-devel, kvm

On Wed, 2009-01-14 at 12:05 +0200, Dor Laor wrote:
> Alex Williamson wrote:  
> > +static void virtio_net_set_config(VirtIODevice *vdev, const uint8_t *config)
> > +{
> > +    VirtIONet *n = to_virtio_net(vdev);
> > +    struct virtio_net_config netcfg;
> > +
> > +    memcpy(&netcfg, config, sizeof(netcfg));
> > +
> > +    if (memcmp(netcfg.mac, n->mac, 6)) {
> > +        memcpy(n->mac, netcfg.mac, 6);
> > +        qemu_format_nic_info_str(n->vc, n->mac);
> > +    }
> > +}
> > +
> >   
> 
> What if the guest will chose the host's mac?
> Thinking about it, I don't think we should test that.
> A concerned host mgmt app can add ebtables roles for such a case.
> 
> Maybe we can optionally allow/deny it?

What's the topology you're thinking of that the virtio-net MAC is also
the host MAC?  I typically use a bridge with a tap device, so the
virtio-net MAC is isolated from the host.  Thanks,

Alex


-- 
Alex Williamson                             HP Open Source & Linux Org.

^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: [Qemu-devel] Re: [PATCH 1/5] virtio-net: Allow setting the MAC address via set_config
  2009-01-14 15:34     ` [Qemu-devel] " Alex Williamson
@ 2009-01-14 16:41       ` Jamie Lokier
  -1 siblings, 0 replies; 18+ messages in thread
From: Jamie Lokier @ 2009-01-14 16:41 UTC (permalink / raw)
  To: qemu-devel; +Cc: dlaor, Mark McLoughlin, kvm

Alex Williamson wrote:
> > What if the guest will chose the host's mac?
> > Thinking about it, I don't think we should test that.
> > A concerned host mgmt app can add ebtables roles for such a case.
> > 
> > Maybe we can optionally allow/deny it?
> 
> What's the topology you're thinking of that the virtio-net MAC is also
> the host MAC?  I typically use a bridge with a tap device, so the
> virtio-net MAC is isolated from the host.  Thanks,

For example you might forward IPX packets to the guest and IP/ARP to
the host, using an ebtables rule to distinguish them.  From the
outside, it would look equivalent to a single host processing both IPX
and IP.

-- Jamie

^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: [Qemu-devel] Re: [PATCH 1/5] virtio-net: Allow setting the MAC address via set_config
@ 2009-01-14 16:41       ` Jamie Lokier
  0 siblings, 0 replies; 18+ messages in thread
From: Jamie Lokier @ 2009-01-14 16:41 UTC (permalink / raw)
  To: qemu-devel; +Cc: Mark McLoughlin, dlaor, kvm

Alex Williamson wrote:
> > What if the guest will chose the host's mac?
> > Thinking about it, I don't think we should test that.
> > A concerned host mgmt app can add ebtables roles for such a case.
> > 
> > Maybe we can optionally allow/deny it?
> 
> What's the topology you're thinking of that the virtio-net MAC is also
> the host MAC?  I typically use a bridge with a tap device, so the
> virtio-net MAC is isolated from the host.  Thanks,

For example you might forward IPX packets to the guest and IP/ARP to
the host, using an ebtables rule to distinguish them.  From the
outside, it would look equivalent to a single host processing both IPX
and IP.

-- Jamie

^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: [Qemu-devel] Re: [PATCH 1/5] virtio-net: Allow setting the MAC address via set_config
  2009-01-14 16:41       ` Jamie Lokier
  (?)
@ 2009-01-14 22:06       ` Dor Laor
  2009-01-14 22:14         ` Paul Brook
  2009-01-15 13:12         ` Jamie Lokier
  -1 siblings, 2 replies; 18+ messages in thread
From: Dor Laor @ 2009-01-14 22:06 UTC (permalink / raw)
  To: qemu-devel; +Cc: Mark McLoughlin, kvm

Jamie Lokier wrote:
> Alex Williamson wrote:
>   
>>> What if the guest will chose the host's mac?
>>> Thinking about it, I don't think we should test that.
>>> A concerned host mgmt app can add ebtables roles for such a case.
>>>
>>> Maybe we can optionally allow/deny it?
>>>       
>> What's the topology you're thinking of that the virtio-net MAC is also
>> the host MAC?  I typically use a bridge with a tap device, so the
>> virtio-net MAC is isolated from the host.  Thanks,
>>     
>
> For example you might forward IPX packets to the guest and IP/ARP to
> the host, using an ebtables rule to distinguish them.  From the
> outside, it would look equivalent to a single host processing both IPX
> and IP.
>
> -- Jamie
>
>   
That's a nice common scenario ;)
What I meant is that if we allow the guest to change his mac address, it 
can deliberately
change it to other hosts/guests mac and thus create networking problems.
Although guest can always mangle packets, maybe it worth enforcing these 
macs for the guest.

Thanks,
Dor

^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: [Qemu-devel] Re: [PATCH 1/5] virtio-net: Allow setting the MAC address via set_config
  2009-01-14 16:41       ` Jamie Lokier
  (?)
  (?)
@ 2009-01-14 22:08       ` Dor Laor
  -1 siblings, 0 replies; 18+ messages in thread
From: Dor Laor @ 2009-01-14 22:08 UTC (permalink / raw)
  To: qemu-devel; +Cc: Mark McLoughlin, kvm

Jamie Lokier wrote:
> Alex Williamson wrote:
>   
>>> What if the guest will chose the host's mac?
>>> Thinking about it, I don't think we should test that.
>>> A concerned host mgmt app can add ebtables roles for such a case.
>>>
>>> Maybe we can optionally allow/deny it?
>>>       
>> What's the topology you're thinking of that the virtio-net MAC is also
>> the host MAC?  I typically use a bridge with a tap device, so the
>> virtio-net MAC is isolated from the host.  Thanks,
>>     
>
> For example you might forward IPX packets to the guest and IP/ARP to
> the host, using an ebtables rule to distinguish them.  From the
> outside, it would look equivalent to a single host processing both IPX
> and IP.
>
> -- Jamie
>
>   
That's a nice common scenario ;)
What I meant is that if we allow the guest to change his mac address, it 
can deliberately
change it to other hosts/guests mac and thus create networking problems.
Although guest can always mangle packets, maybe it worth enforcing these 
macs for the guest.

Thanks,
Dor

^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: [Qemu-devel] Re: [PATCH 1/5] virtio-net: Allow setting the MAC address via set_config
  2009-01-14 22:06       ` Dor Laor
@ 2009-01-14 22:14         ` Paul Brook
  2009-01-15 13:11             ` Jamie Lokier
  2009-01-15 13:12         ` Jamie Lokier
  1 sibling, 1 reply; 18+ messages in thread
From: Paul Brook @ 2009-01-14 22:14 UTC (permalink / raw)
  To: qemu-devel, dlaor; +Cc: Mark McLoughlin, kvm

> What I meant is that if we allow the guest to change his mac address, it
> can deliberately
> change it to other hosts/guests mac and thus create networking problems.
> Although guest can always mangle packets, maybe it worth enforcing these
> macs for the guest.

This doesn't seem any different to real hardware that allows you to change the 
MAC address.

Paul


^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: [Qemu-devel] Re: [PATCH 1/5] virtio-net: Allow setting the MAC address via set_config
  2009-01-14 22:14         ` Paul Brook
@ 2009-01-15 13:11             ` Jamie Lokier
  0 siblings, 0 replies; 18+ messages in thread
From: Jamie Lokier @ 2009-01-15 13:11 UTC (permalink / raw)
  To: qemu-devel; +Cc: dlaor, Mark McLoughlin, kvm

Paul Brook wrote:
> > What I meant is that if we allow the guest to change his mac address, it
> > can deliberately
> > change it to other hosts/guests mac and thus create networking problems.
> > Although guest can always mangle packets, maybe it worth enforcing these
> > macs for the guest.
> 
> This doesn't seem any different to real hardware that allows you to
> change the MAC address.

Indeed I have used that on several occasions to workaround pointless
firewalls and home networking restrictions.

People doing MAC-level hot-failover in high-availability environments
do it too.

-- Jamie

^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: [Qemu-devel] Re: [PATCH 1/5] virtio-net: Allow setting the MAC address via set_config
@ 2009-01-15 13:11             ` Jamie Lokier
  0 siblings, 0 replies; 18+ messages in thread
From: Jamie Lokier @ 2009-01-15 13:11 UTC (permalink / raw)
  To: qemu-devel; +Cc: Mark McLoughlin, dlaor, kvm

Paul Brook wrote:
> > What I meant is that if we allow the guest to change his mac address, it
> > can deliberately
> > change it to other hosts/guests mac and thus create networking problems.
> > Although guest can always mangle packets, maybe it worth enforcing these
> > macs for the guest.
> 
> This doesn't seem any different to real hardware that allows you to
> change the MAC address.

Indeed I have used that on several occasions to workaround pointless
firewalls and home networking restrictions.

People doing MAC-level hot-failover in high-availability environments
do it too.

-- Jamie

^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: [Qemu-devel] Re: [PATCH 1/5] virtio-net: Allow setting the MAC address via set_config
  2009-01-14 22:06       ` Dor Laor
  2009-01-14 22:14         ` Paul Brook
@ 2009-01-15 13:12         ` Jamie Lokier
  2009-01-15 13:41             ` Avi Kivity
  2009-01-18  9:37           ` Dor Laor
  1 sibling, 2 replies; 18+ messages in thread
From: Jamie Lokier @ 2009-01-15 13:12 UTC (permalink / raw)
  To: dlaor, qemu-devel; +Cc: Mark McLoughlin, kvm

Dor Laor wrote:
> What I meant is that if we allow the guest to change his mac address, it 
> can deliberately
> change it to other hosts/guests mac and thus create networking problems.
> Although guest can always mangle packets, maybe it worth enforcing these 
> macs for the guest.

Although it can create network problems, sometimes it is also wanted.

I think if you want to restrict the guests's ability to break the
network by changing its MAC, it would be appropriate to have an option
to completely lock down the MAC so the guest can't change its MAC at all.

-- Jamie

^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: [Qemu-devel] Re: [PATCH 1/5] virtio-net: Allow setting the MAC address via set_config
  2009-01-15 13:12         ` Jamie Lokier
@ 2009-01-15 13:41             ` Avi Kivity
  2009-01-18  9:37           ` Dor Laor
  1 sibling, 0 replies; 18+ messages in thread
From: Avi Kivity @ 2009-01-15 13:41 UTC (permalink / raw)
  To: Jamie Lokier; +Cc: dlaor, qemu-devel, Mark McLoughlin, kvm

Jamie Lokier wrote:
> Dor Laor wrote:
>   
>> What I meant is that if we allow the guest to change his mac address, it 
>> can deliberately
>> change it to other hosts/guests mac and thus create networking problems.
>> Although guest can always mangle packets, maybe it worth enforcing these 
>> macs for the guest.
>>     
>
> Although it can create network problems, sometimes it is also wanted.
>
> I think if you want to restrict the guests's ability to break the
> network by changing its MAC, it would be appropriate to have an option
> to completely lock down the MAC so the guest can't change its MAC at all.
>   

I don't think locking down the MAC is very useful; the guest can still 
fake its IP address.

If the admin wants to lock down the guest, they should use netfilter 
(and live with the performance hit).

-- 
error compiling committee.c: too many arguments to function


^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: [Qemu-devel] Re: [PATCH 1/5] virtio-net: Allow setting the MAC address via set_config
@ 2009-01-15 13:41             ` Avi Kivity
  0 siblings, 0 replies; 18+ messages in thread
From: Avi Kivity @ 2009-01-15 13:41 UTC (permalink / raw)
  To: Jamie Lokier; +Cc: Mark McLoughlin, dlaor, qemu-devel, kvm

Jamie Lokier wrote:
> Dor Laor wrote:
>   
>> What I meant is that if we allow the guest to change his mac address, it 
>> can deliberately
>> change it to other hosts/guests mac and thus create networking problems.
>> Although guest can always mangle packets, maybe it worth enforcing these 
>> macs for the guest.
>>     
>
> Although it can create network problems, sometimes it is also wanted.
>
> I think if you want to restrict the guests's ability to break the
> network by changing its MAC, it would be appropriate to have an option
> to completely lock down the MAC so the guest can't change its MAC at all.
>   

I don't think locking down the MAC is very useful; the guest can still 
fake its IP address.

If the admin wants to lock down the guest, they should use netfilter 
(and live with the performance hit).

-- 
error compiling committee.c: too many arguments to function

^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: [Qemu-devel] Re: [PATCH 1/5] virtio-net: Allow setting the MAC address via set_config
  2009-01-15 13:12         ` Jamie Lokier
  2009-01-15 13:41             ` Avi Kivity
@ 2009-01-18  9:37           ` Dor Laor
  2009-01-18  9:42             ` Avi Kivity
  1 sibling, 1 reply; 18+ messages in thread
From: Dor Laor @ 2009-01-18  9:37 UTC (permalink / raw)
  To: qemu-devel; +Cc: Mark McLoughlin, kvm

Jamie Lokier wrote:
> Dor Laor wrote:
>   
>> What I meant is that if we allow the guest to change his mac address, it 
>> can deliberately
>> change it to other hosts/guests mac and thus create networking problems.
>> Although guest can always mangle packets, maybe it worth enforcing these 
>> macs for the guest.
>>     
>
> Although it can create network problems, sometimes it is also wanted.
>
> I think if you want to restrict the guests's ability to break the
> network by changing its MAC, it would be appropriate to have an option
> to completely lock down the MAC so the guest can't change its MAC at all.
>
>   
That's what I was shooting to.
One example this can be helpful is when kvm is used to run virtual 
servers in a computing
farm like Amazon. You wouldn't like a VM owner to mess your network.

^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: [Qemu-devel] Re: [PATCH 1/5] virtio-net: Allow setting the MAC address via set_config
  2009-01-18  9:37           ` Dor Laor
@ 2009-01-18  9:42             ` Avi Kivity
  0 siblings, 0 replies; 18+ messages in thread
From: Avi Kivity @ 2009-01-18  9:42 UTC (permalink / raw)
  To: dlaor, qemu-devel; +Cc: Mark McLoughlin, kvm

Dor Laor wrote:
> Jamie Lokier wrote:
>> Dor Laor wrote:
>>  
>>> What I meant is that if we allow the guest to change his mac 
>>> address, it can deliberately
>>> change it to other hosts/guests mac and thus create networking 
>>> problems.
>>> Although guest can always mangle packets, maybe it worth enforcing 
>>> these macs for the guest.
>>>     
>>
>> Although it can create network problems, sometimes it is also wanted.
>>
>> I think if you want to restrict the guests's ability to break the
>> network by changing its MAC, it would be appropriate to have an option
>> to completely lock down the MAC so the guest can't change its MAC at 
>> all.
>>
>>   
> That's what I was shooting to.
> One example this can be helpful is when kvm is used to run virtual 
> servers in a computing
> farm like Amazon. You wouldn't like a VM owner to mess your network.

Restricting the MAC address won't help.  The guest can still forge the 
link layer address and/or the IP layer addresses.

This needs to be addressed by netfilter.

-- 
error compiling committee.c: too many arguments to function


^ permalink raw reply	[flat|nested] 18+ messages in thread

end of thread, other threads:[~2009-01-18  9:42 UTC | newest]

Thread overview: 18+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2009-01-13 21:23 [PATCH 1/5] virtio-net: Allow setting the MAC address via set_config Alex Williamson
2009-01-13 21:23 ` [Qemu-devel] " Alex Williamson
2009-01-14 10:05 ` Dor Laor
2009-01-14 10:05   ` [Qemu-devel] " Dor Laor
2009-01-14 15:34   ` Alex Williamson
2009-01-14 15:34     ` [Qemu-devel] " Alex Williamson
2009-01-14 16:41     ` Jamie Lokier
2009-01-14 16:41       ` Jamie Lokier
2009-01-14 22:06       ` Dor Laor
2009-01-14 22:14         ` Paul Brook
2009-01-15 13:11           ` Jamie Lokier
2009-01-15 13:11             ` Jamie Lokier
2009-01-15 13:12         ` Jamie Lokier
2009-01-15 13:41           ` Avi Kivity
2009-01-15 13:41             ` Avi Kivity
2009-01-18  9:37           ` Dor Laor
2009-01-18  9:42             ` Avi Kivity
2009-01-14 22:08       ` Dor Laor

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.