[Qemu-devel] Re: TODO item: guest programmable mac/vlan filtering with macvtap
1. add a secondary mac (or third, etc) address to the guest virtio-net interface. Maybe I misunderstood this. Is it just setting another mac on the guest virtio-net interface? 4. the above stuff must be controllable by host admin - Well, for this there are a few options: admin switch that allows the guest user to add macs preconfig allowed MAC's in mactap (or qemu config) for the guest user allow/disallow command for user in qemu (although this doesn't seem to be supported) Well, on a second thought, qemu capabilities should be just fine, right? -- Dragos
[Qemu-devel] Re: TODO item: guest programmable mac/vlan filtering with macvtap
On Mon, Nov 01, 2010 at 11:48:23AM +0100, Dragos Tatulea wrote: 1. add a secondary mac (or third, etc) address to the guest virtio-net interface. Maybe I misunderstood this. Is it just setting another mac on the guest virtio-net interface? Well, yes, that's also not possible at the moment. Or e.g. set more than one mac per virtio-net device using macvlan. 4. the above stuff must be controllable by host admin - Well, for this there are a few options: admin switch that allows the guest user to add macs preconfig allowed MAC's in mactap (or qemu config) for the guest user allow/disallow command for user in qemu (although this doesn't seem to be supported) Well, on a second thought, qemu capabilities should be just fine, right? -- Dragos At some level, although I think we also want a way to disable access that qemu can't override unless it has net admin capability. -- MST
[Qemu-devel] Re: TODO item: guest programmable mac/vlan filtering with macvtap
I have created a wiki page for this [1], also added to the networking todo list [2]. No meaty information yet. But it's enough to start working on it. [1] - http://www.linux-kvm.org/page/GuestProgrammableMacVlanFiltering [2] - http://www.linux-kvm.org/page/NetworkingTodo -- Dragos
[Qemu-devel] Re: TODO item: guest programmable mac/vlan filtering with macvtap
Hi, I'm starting a thread related to the TODO item mentioned in the subject. Currently still gathering info and trying to make kvm macvtap play nicely together. I have used this [1] guide to set it up but qemu is still complaining about the PCI device address of the virtio-net-pci. Tried with latest qemu. Am I missing something here? Here are the suggestions received so far from Michael Tsirkin (and my questions): 1. add a secondary mac (or third, etc) address to the guest virtio-net interface. - This implies using a single macvtap interface to handle all the macs - How would that appear on the guest? As another interface? As a virtual interface? This is tap-like behavior :). - The macvtap interface on the host shouldn't have a mac or should ignore it. 2. create a vlan device on the guest virtio-net device 3. set promiscuous mode on guest virtio-net device - And that means STRICTLY guest promiscuous, right? You shouldn't be able to receive frames from other VM's, right? 4. the above stuff must be controllable by host admin - Well, for this there are a few options: admin switch that allows the guest user to add macs preconfig allowed MAC's in mactap (or qemu config) for the guest user allow/disallow command for user in qemu (although this doesn't seem to be supported) What is the use-case for this project? From what I gather so far, the guest user will be able to add interfaces/macs without rebooting the VM. Am I correct? Anything else? Thanks, Dragos
[Qemu-devel] Re: TODO item: guest programmable mac/vlan filtering with macvtap
On Friday 15 October 2010, Michael S. Tsirkin wrote: On Thu, Oct 14, 2010 at 11:40:52PM +0200, Dragos Tatulea wrote: Hi, I'm starting a thread related to the TODO item mentioned in the subject. Currently still gathering info and trying to make kvm macvtap play nicely together. I have used this [1] guide to set it up but qemu is still complaining about the PCI device address of the virtio-net-pci. Tried with latest qemu. Am I missing something here? [1] - http://virt.kernelnewbies.org/MacVTap It really should be: -net nic,model=virtio,netdev=foo -netdev tap,id=foo Created account but still could not edit the wiki. Arnd, know why that is? Could you correct qemu command line pls? I also have lost write access to the wiki, no idea what happened there. I started the page, but it subsequently became protected. We never added support for the qemu command line directly, the plan was to do that using helper scripts. The only way to do it is to redirect both input and output to the tap device, so you ned to do -net nic,model=virtio,netdev=foo -netdev tap,id=foo,fd=3 3 when starting from bash. Arnd
[Qemu-devel] Re: TODO item: guest programmable mac/vlan filtering with macvtap
On Thu, Oct 14, 2010 at 11:40:52PM +0200, Dragos Tatulea wrote: Hi, I'm starting a thread related to the TODO item mentioned in the subject. Currently still gathering info and trying to make kvm macvtap play nicely together. I have used this [1] guide to set it up but qemu is still complaining about the PCI device address of the virtio-net-pci. Tried with latest qemu. Am I missing something here? [1] - http://virt.kernelnewbies.org/MacVTap -- Dragos It really should be: -net nic,model=virtio,netdev=foo -netdev tap,id=foo Created account but still could not edit the wiki. Arnd, know why that is? Could you correct qemu command line pls? -- MST
