On Wednesday 16 September 2009, Michael S. Tsirkin wrote:
> >
> > No, I think this is less important, because the bridge code
> > also doesn't do this.
>
> True, but the reason might be that it is much harder in bridge (you have
> to snoop multicast registrations). With macvlan you know which
> multicasts does each device want.
Right. It shouldn't be hard to do, and I'll probably get to
that after the other changes.
> > One of the problems that raw packet sockets have is the requirement
> > for root permissions (e.g. through libvirt). Tap sockets and
> > macvtap both don't have this limitation, so you can use them as
> > a regular user without libvirt.
>
> I don't see a huge difference here.
> If you are happy with the user being able to bypass filters in host,
> just give her CAP_NET_RAW capability. It does not have to be root.
Capabilities are nice in theory, but I've never seen them being used
effectively in practice, where it essentially comes down to some
SUID wrapper. Also, I might not want to allow the user to open a
random random raw socket, but only one on a specific downstream
port of a macvlan interface, so I can filter out the data from
that respective MAC address in an external switch.
That scenario is probably not so relevant for KVM, unless you
consider the guest taking over the qemu host process a valid
security threat.
Arnd <><
--
To unsubscribe from this list: send the line "unsubscribe kvm" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
