Re: [PATCH 0/2] Reject Xen VM config containing nwfilter references

On Wed, Sep 11, 2024 at 03:02:40PM -0600, Jim Fehlig wrote: > This is essentially V2 of a small series inspired by a report on the > security list about nwfilters not working with Xen VMs. V1 was posted > to the security list, so no public reference. The libxl driver simply > does not support nwfilters, so the report is really a RFE vs a > security issue. > > I'm now moving the discussion to the public devel list. I don't have > time to add nwfilter support to the libxl driver, but agree the > documentation could be improved. Given the perceived security > implications, I also think it's worth considering rejecting Xen VM > <interface> configuration containing <filterref>, even though libvirt > tends to ignore unsupported XML config. > > Patch1 improves the documentation. I also considered adding a > "Limitations" section to docs/drvxen.rst, but none of the other > drivers have such section. Also, for the xen one, I wasn't sure where > to start with listing limitations :-P. Does the Xen driver have a lot of limitations compared to other drivers?

> Patch2 rejects Xen VM config containg <filterref> in their <interface> > definitions. Should something similar be added to the other drivers without <filterref> support? I think it would be best if <filterref> was known to all drivers and explicitly rejected by the ones that do not support it.