[Qemu-devel] Macvtap or tap+bridge

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] Macvtap or tap+bridge

From:	Chris Webb
Subject:	[Qemu-devel] Macvtap or tap+bridge
Date:	Wed, 4 Apr 2012 15:18:43 +0100
User-agent:	Mutt/1.5.20 (2009-06-14)

When I first started setting up qemu-kvm VMs for customers, I set up their
internet-facing network with tap interfaces enslaved to a host bridge along
with the physical network card of the host, something like

  ip tuntap add dev tapN mode tap
  brctl addif br0 tapN
  ip link set tapN up
  qemu-kvm ... -net nic,... -net tap,ifname=tapN,script=no,downscript=no

More recently on my development boxes, I've been using macvtap in the form

  ip link add link eth0 name guestN address MAC type macvtap mode bridge
  ip link set guestN up
  qemu-kvm ... -net nic,macaddr=MAC,... -net tap,fd=3
           3<>/dev/tap$(< /sys/class/net/$1/ifindex)

In the bridge-based setup, I use ebtables rules on the tapN port to prevent
guests from receiving or emitting packets with the wrong MAC address, and also
to prevent them from ARPing for or more generally receiving or emitting
packets from IP addresses which don't belong to them.

With macvtap, the setup and configuration is nicer and the MAC address
restriction is built-in, but there doesn't appear to be a mechanism to apply
any other filter, such as that which would be needed to restrict guests to
particular IP addresses or from emitting non-IP protocols.

On the other hand, the machines using the bridges appear to be much easier to
DoS with packet floods than normal linux hosts, presumably because their
public-facing interfaces run in promiscuous mode. Macvtap-based hosts with
their simple, static configuration seem as immune as normal linux hosts with
standard one-eth0-interface networking.

Is there a way to get the best of both worlds? I'd love to have the static MAC
setup and DoS resistance of macvtap but still be able to apply some basic
filter rules, restricting VMs to the handful of ipv4/6 addresses they're
entitled to. In the absence of ebtables for macvtap, is there some way I can
send packets relating to a macvtap interface through netfilter, in the same
way CONFIG_BRIDGE_NETFILTER would do for packets traversing a linux bridge?

Best wishes,

Chris.

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] Macvtap or tap+bridge, Chris Webb <=

Prev by Date: [Qemu-devel] [PATCH] memory: check address space when a listener is registered
Next by Date: Re: [Qemu-devel] KVM call minutes April 3
Previous by thread: [Qemu-devel] [PATCH] memory: check address space when a listener is registered
Next by thread: Re: [Qemu-devel] [PATCH V4 00/11] Qemu MIPS ASE DSP Support
Index(es):
- Date
- Thread