On Wed, Sep 11, 2024 at 03:02:40PM -0600, Jim Fehlig wrote: > This is essentially V2 of a small series inspired by a report on the > security list about nwfilters not working with Xen VMs. V1 was posted > to the security list, so no public reference. The libxl driver simply > does not support nwfilters, so the report is really a RFE vs a > security issue. > > I'm now moving the discussion to the public devel list. I don't have > time to add nwfilter support to the libxl driver, but agree the > documentation could be improved. Given the perceived security > implications, I also think it's worth considering rejecting Xen VM > <interface> configuration containing <filterref>, even though libvirt > tends to ignore unsupported XML config. > > Patch1 improves the documentation. I also considered adding a > "Limitations" section to docs/drvxen.rst, but none of the other > drivers have such section. Also, for the xen one, I wasn't sure where > to start with listing limitations :-P. Does the Xen driver have a lot of limitations compared to other drivers? > Patch2 rejects Xen VM config containg <filterref> in their <interface> > definitions. Should something similar be added to the other drivers without <filterref> support? I think it would be best if <filterref> was known to all drivers and explicitly rejected by the ones that do not support it. > Jim Fehlig (2): > docs: Clarify hypervisor support for nwfilter profiles > libxl: Reject VM config referencing nwfilters > > docs/formatdomain.rst | 8 ++++---- > src/libxl/libxl_domain.c | 7 +++++++ > 2 files changed, 11 insertions(+), 4 deletions(-) -- Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab
Attachment:
signature.asc
Description: PGP signature
