Re: [Qemu-devel] [PATCH 0/4] net-bridge: rootless bridge support for qemu

[Jamie Lokier]

Anthony Liguori wrote:
> Avi Kivity wrote:
> >No, of course not, I use qemu from the command line and would benefit 
> >from -net bridge.  My badly-conveyed objection is that qemu should not 
> >take a system management role (and enforce system-wide policies) but 
> >leave that to system management tools.
> 
> I do not consider this system management functional no more than I see 
> providing a global configuration file as system management functional.  
> They are both mechanisms.  The ACL file is a mechanism just like VNC 
> sasl ACLs are a mechanism.

That's why I would like there to be options to either pass to the
helper program, or specify a different helper program.  (Sorry if
that's already in the patches - for some reason I received 0/4 but
didn't receive the 4 patch emails).

There's no need for QEMU to be cleverer than that, and that puts the
whole policy in the hands of the user - where it should be.

It'd still install the default helper you've provided and use it by
default, of course.

> The only other configuration I've seen with a tap device is to directly 
> configure an ip address with it and not use a bridge at all.  That's 
> covered by -net tap though and really is not all that useful except for 
> benchmarking.

Contrarily, it's incredibly useful!  Most of my server VMs uses the
tap device without a bridge.  They are on private subnets within the
host, and use iptables NAT to access the outside world, with NAT port
forwarding to offer specific services.  That isolates them securely
far more effectively than bridging, and the iptables is simpler too.

-- Jamie