[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH 4/4] Add support for -net bridge
From: |
Jamie Lokier |
Subject: |
Re: [Qemu-devel] [PATCH 4/4] Add support for -net bridge |
Date: |
Mon, 9 Nov 2009 19:19:10 +0000 |
User-agent: |
Mutt/1.5.13 (2006-08-11) |
Anthony Liguori wrote:
> You are correct except that I qualified this as NAT with host access
> which so far is the common model. If the host can access the NAT'd
> network behind the NAT, then port privileges are important.
You're right.
This is why QEMU guests should be run inside an LXC container :-)
Or in the general case, a security-conscious net-setup script should
ensure general user invocations are limited to admin-decided subnets
with admin-decided firewall rules, so that they just look like
processes with ordinary access to everything else.
Iptables being what it is, that'd have to be distro specific and
sometimes site specific.
-- Jamie
[Qemu-devel] [PATCH 1/4] Add basic version of bridge helper, Anthony Liguori, 2009/11/03
[Qemu-devel] [PATCH 3/4] Add cap reduction support to enable use as SUID binary, Anthony Liguori, 2009/11/03
Re: [Qemu-devel] [PATCH 0/4] net-bridge: rootless bridge support for qemu, Alexander Graf, 2009/11/04
[Qemu-devel] Re: [PATCH 0/4] net-bridge: rootless bridge support for qemu, Michael S. Tsirkin, 2009/11/04