[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH 0/4] net-bridge: rootless bridge support for qem

From: Jamie Lokier
Subject: Re: [Qemu-devel] [PATCH 0/4] net-bridge: rootless bridge support for qemu
Date: Fri, 6 Nov 2009 02:08:52 +0000
User-agent: Mutt/1.5.13 (2006-08-11)

Daniel P. Berrange wrote:
> On Thu, Nov 05, 2009 at 11:03:48AM -0600, Anthony Liguori wrote:
> > Daniel P. Berrange wrote:
> > >Indeed the hotplug  scenario is a bit of a problem in this model,
> > >since libvirt needs to be able to setup iptables & ebtables rules
> > >between creating the device & giving it to the guest.
> > >  
> > 
> > But does libvirt every setup tap specific iptable or ebtable rules?
> We have recently got a mode where we setup a rule against a specific TAP
> device to filter non-assigned MAC, to prevent guests spoofing MAC addrs,
> and will do similar for IP packets in the future.

It's a good idea, but it can be difficult to update iptables rules on
a general system which has lots of other iptables rules as well.  How
do you handle that?

Btw, my approach to filtering & spoof avoidance, for some VMs which
don't need to be bridged, has been to avoid bridging, put the VMs on
their own private subnet inside the host, and used iptables NAT to
route them.

That blocks things like mDNS, Windows Network Neighbourhood discovery
and so on, but for some VMs that doesn't matter or is even preferable,
to provide better isolation.

-- Jamie

reply via email to

[Prev in Thread] Current Thread [Next in Thread]