On Tue, 2010-01-26 at 14:47 -0600, Anthony Liguori wrote: > On 01/26/2010 02:40 PM, Sridhar Samudrala wrote: > > This patch adds raw socket backend to qemu and is based on Or Gerlitz's > > patch re-factored and ported to the latest qemu-kvm git tree. > > It also includes support for vnet_hdr option that enables gso/checksum > > offload with raw backend. You can find the linux kernel patch to support > > this feature here. > > http://thread.gmane.org/gmane.linux.network/150308 > > > > Signed-off-by: Sridhar Samudrala<s...@us.ibm.com> > > > > See the previous discussion about the raw backend from Or's original > patch. There's no obvious reason why we should have this in addition to > a tun/tap backend. > > The only use-case I know of is macvlan but macvtap addresses this > functionality while not introduce the rather nasty security problems > associated with a raw backend.
The raw backend can be attached to a physical device, macvlan or SR-IOV VF. I don't think AF_PACKET socket itself introduces any security problems. The raw socket can be created only by a user with CAP_RAW capability. The only issue is if we need to assume that qemu itself is an untrusted process and a raw fd cannot be passed to it. But, i think it is a useful backend to support in qemu that provides guest to remote host connectivity without the need for a bridge/tap. macvtap could be an alternative if it supports binding to SR-IOV VFs too. Thanks Sridhar
