docs/formatdomain.rst | 8 ++++---- src/libxl/libxl_domain.c | 7 +++++++ 2 files changed, 11 insertions(+), 4 deletions(-)
This is essentially V2 of a small series inspired by a report on the security list about nwfilters not working with Xen VMs. V1 was posted to the security list, so no public reference. The libxl driver simply does not support nwfilters, so the report is really a RFE vs a security issue. I'm now moving the discussion to the public devel list. I don't have time to add nwfilter support to the libxl driver, but agree the documentation could be improved. Given the perceived security implications, I also think it's worth considering rejecting Xen VM <interface> configuration containing <filterref>, even though libvirt tends to ignore unsupported XML config. Patch1 improves the documentation. I also considered adding a "Limitations" section to docs/drvxen.rst, but none of the other drivers have such section. Also, for the xen one, I wasn't sure where to start with listing limitations :-P. Patch2 rejects Xen VM config containg <filterref> in their <interface> definitions. Jim Fehlig (2): docs: Clarify hypervisor support for nwfilter profiles libxl: Reject VM config referencing nwfilters docs/formatdomain.rst | 8 ++++---- src/libxl/libxl_domain.c | 7 +++++++ 2 files changed, 11 insertions(+), 4 deletions(-) -- 2.35.3
On Wed, Sep 11, 2024 at 03:02:40PM -0600, Jim Fehlig wrote: > This is essentially V2 of a small series inspired by a report on the > security list about nwfilters not working with Xen VMs. V1 was posted > to the security list, so no public reference. The libxl driver simply > does not support nwfilters, so the report is really a RFE vs a > security issue. > > I'm now moving the discussion to the public devel list. I don't have > time to add nwfilter support to the libxl driver, but agree the > documentation could be improved. Given the perceived security > implications, I also think it's worth considering rejecting Xen VM > <interface> configuration containing <filterref>, even though libvirt > tends to ignore unsupported XML config. > > Patch1 improves the documentation. I also considered adding a > "Limitations" section to docs/drvxen.rst, but none of the other > drivers have such section. Also, for the xen one, I wasn't sure where > to start with listing limitations :-P. Does the Xen driver have a lot of limitations compared to other drivers? > Patch2 rejects Xen VM config containg <filterref> in their <interface> > definitions. Should something similar be added to the other drivers without <filterref> support? I think it would be best if <filterref> was known to all drivers and explicitly rejected by the ones that do not support it. > Jim Fehlig (2): > docs: Clarify hypervisor support for nwfilter profiles > libxl: Reject VM config referencing nwfilters > > docs/formatdomain.rst | 8 ++++---- > src/libxl/libxl_domain.c | 7 +++++++ > 2 files changed, 11 insertions(+), 4 deletions(-) -- Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab
On 9/11/24 15:49, Demi Marie Obenour wrote: > On Wed, Sep 11, 2024 at 03:02:40PM -0600, Jim Fehlig wrote: >> This is essentially V2 of a small series inspired by a report on the >> security list about nwfilters not working with Xen VMs. V1 was posted >> to the security list, so no public reference. The libxl driver simply >> does not support nwfilters, so the report is really a RFE vs a >> security issue. >> >> I'm now moving the discussion to the public devel list. I don't have >> time to add nwfilter support to the libxl driver, but agree the >> documentation could be improved. Given the perceived security >> implications, I also think it's worth considering rejecting Xen VM >> <interface> configuration containing <filterref>, even though libvirt >> tends to ignore unsupported XML config. >> >> Patch1 improves the documentation. I also considered adding a >> "Limitations" section to docs/drvxen.rst, but none of the other >> drivers have such section. Also, for the xen one, I wasn't sure where >> to start with listing limitations :-P. > > Does the Xen driver have a lot of limitations compared to other drivers? Not necessarily. It just feels that way since I'm one of the few contributors, and haven't contributed much in quite a while. >> Patch2 rejects Xen VM config containg <filterref> in their <interface> >> definitions. > > Should something similar be added to the other drivers without > <filterref> support? I think it would be best if <filterref> was known > to all drivers and explicitly rejected by the ones that do not support > it. That's a good point, and might be part of the reason libvirt drivers have traditionally ignored unsupported XML config. Let's see what other maintainers have to say about this patch. Regards, Jim
© 2016 - 2026 Red Hat, Inc.