On Tue, 2008-02-05 at 00:25 +0000, Daniel P. Berrange wrote: > The main problem I know of is not VDE itself, but the means of connecting > a VDE network to the outside world - namely the SLIRP code. Last time it > was examined it was found to be non-64-bit clean & have significant question > around security. We wondered about whether it would be possible to have a > privileged helper for creating tap devices which could be used to connect > the VDE network to the outside world. Its possible, but the devil's in the > details & how you constrain access to not conflict with host networking. Nice summary ... that's exactly it. The sound part of VDE is it's ability to behave as a userspace ethernet bridge. The nasty part is its TCP/IP stack - which is equivalent to "qemu -net user". The ideal situation would be to allow unprivileged processes use the kernel network stack rather than implementing a whole new stack. We knocked around some ideas on that front but didn't come to any concrete conclusions. Cheers, Mark. -- Libvir-list mailing list Libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list