On 9/11/24 15:49, Demi Marie Obenour wrote:
On Wed, Sep 11, 2024 at 03:02:40PM -0600, Jim Fehlig wrote:
This is essentially V2 of a small series inspired by a report on the security list about nwfilters not working with Xen VMs. V1 was posted to the security list, so no public reference. The libxl driver simply does not support nwfilters, so the report is really a RFE vs a security issue.
I'm now moving the discussion to the public devel list. I don't have time to add nwfilter support to the libxl driver, but agree the documentation could be improved. Given the perceived security implications, I also think it's worth considering rejecting Xen VM <interface> configuration containing <filterref>, even though libvirt tends to ignore unsupported XML config.
Patch1 improves the documentation. I also considered adding a "Limitations" section to docs/drvxen.rst, but none of the other drivers have such section. Also, for the xen one, I wasn't sure where to start with listing limitations :-P.
Does the Xen driver have a lot of limitations compared to other drivers?
Not necessarily. It just feels that way since I'm one of the few contributors, and haven't contributed much in quite a while.
Patch2 rejects Xen VM config containg <filterref> in their <interface> definitions.
Should something similar be added to the other drivers without <filterref> support? I think it would be best if <filterref> was known to all drivers and explicitly rejected by the ones that do not support it.
That's a good point, and might be part of the reason libvirt drivers have traditionally ignored unsupported XML config. Let's see what other maintainers have to say about this patch. Regards, Jim