guest MAC-address isolation

guest MAC-address isolation

[Robert Rebstock]

Hello kvmers.

I am having network issues that I suspect are related to kvm's
user mode networking; in particular:

I have a server setup with virtualized kvm clients started with 
"user mode" networking and RDP port redirection as follows:

 7719 ?        Sl   454:05  \_ kvm -m 2048 -redir tcp:3394::3389 ...
 7731 ?        Sl    97:58  \_ kvm -m 2048 -redir tcp:3393::3389 ...
 7768 ?        Sl   109:23  \_ kvm -m 2048 -redir tcp:3392::3389 ...
 7801 ?        Sl    43:46  \_ kvm -m 2048 -redir tcp:3391::3389 ...
 7823 ?        Sl    16:19  \_ kvm -m 2048 -redir tcp:3398::3389 ...
 7834 ?        Sl    59:38  \_ kvm -m 2048 -redir tcp:3395::3389 ...

which are being accessed by linux rdesktop clients.

Although server and clients are on the same LAN, RDP-traffic is only updated
in correlation to user input, leaving me looking for a way to circumvent this,
so that the users don't have to frantically thrash their mouse to and fro, to
get data on their usb-sticks or watch YouTube. ;-)

All kvm's are using (and must use) the same MAC-address; this shouldn't be a
problem with "-net user", right?

Aside from my specific setup, what I'm really looking for is the best way to
achieve "guest MAC-address isolation".

Is slirpvde worth trying, or maybe tcp-bridge (I suspect that the performance
is not acceptable)?

Any ideas on whether there is a way to achieve "guest MAC address isolation"
with ebtables? I can get "MAC NAT" (sort of) working with:

ebtables -t nat -A PREROUTING  -d 00:11:11:11:11:11 -j dnat --to-dest 00:01:23:45:67:89 --dnat-target ACCEPT
ebtables -t nat -A POSTROUTING -s 00:01:23:45:67:89 -j snat --to-src 00:11:11:11:11:11 --snat-arp --snat-target ACCEPT

but I have no idea on how I might be able to achieve "guest MAC address isolation"
with multiple guests needing the same MAC.

My current non "user mode" networking setup looks as such (alittle debian specific):

/etc/network/interfaces:
auto lo

iface lo inet loopback



auto br0

iface br0 inet static

        bridge_ports eth0

        bridge_maxwait 0

        address 192.168.2.200

        netmask 255.255.255.0

        gateway 192.168.2.1

        pre-up modprobe ip_conntrack_tftp

        pre-up modprobe ip_conntrack_ftp

        pre-up modprobe ip_nat_tftp

        pre-up modprobe ip_nat_ftp



auto natbr0

iface natbr0 inet static

        bridge_ports dummy

        bridge_maxwait 0

        address 192.168.99.1

        netmask 255.255.255.0

        up /usr/sbin/dnsmasq --interface=natbr0  --except-interface=lo --bind-interfaces --user=nobody \

         --dhcp-range=natbr0,192.168.99.50,192.168.99.100,255.255.255.0,192.168.99.255,72h \

         --domain=example.net --pid-file=/var/run/natbr0_dnsmasq.pid --conf-file

        post-up echo 1 > /proc/sys/net/ipv4/ip_forward

        post-up iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE

        post-up iptables -A FORWARD -s 192.168.99.0/24 -j ACCEPT

        post-up iptables -A FORWARD -d 192.168.99.0/24 -j ACCEPT



/etc/kvm/kvm-ifup-br:
#!/bin/sh

BRIDGE=br0

/sbin/ifconfig $1 0.0.0.0 up

/usr/sbin/brctl addif $BRIDGE $1



/etc/kvm/kvm-ifup-natbr:
#!/bin/sh

BRIDGE=natbr0

/sbin/ifconfig $1 0.0.0.0 up

/usr/sbin/brctl addif $BRIDGE $1


I would be most interested in an (guest agnostic) ebtables solution. Any help or insight is much appreciated.

Thank you in advance,
best regards,

Robert

PS. Please BCC me, as I am not on the list.

guest MAC-address isolation

[Robert Rebstock]

Hello all,

can anyone recommend a better way to achive (guest agnostic) MAC-address
isolation in qemu/kvm then with user-mode networking?

I have multiple guests requiring the same MAC-address, and user-mode/slirp
networking is quite slow.

best regards,

Robert

PS. Please BCC me, as I am not on the list.

Re: guest MAC-address isolation

[Avi Kivity]

  On 08/06/2010 08:09 PM, Robert Rebstock wrote:
> Hello all,
>
> can anyone recommend a better way to achive (guest agnostic) MAC-address
> isolation in qemu/kvm then with user-mode networking?
>
> I have multiple guests requiring the same MAC-address, and user-mode/slirp
> networking is quite slow.
>

You can put the different guests on different bridges, and use IP 
routing to connect the two bridges; or you can use ebtables to mangle 
the MAC addresses.

-- 
error compiling committee.c: too many arguments to function

Re: guest MAC-address isolation

[Robert Rebstock]

Hello.
Thank you for your answer.

> ----- Original Message -----
> From: "Avi Kivity" <avi@redhat.com>
> To: "Robert Rebstock" <rebstock@scienceworks.com>
> Cc: kvm@vger.kernel.org
> Sent: Tuesday, August 17, 2010 11:36:41 AM
> Subject: Re: guest MAC-address isolation
> 
>   On 08/06/2010 08:09 PM, Robert Rebstock wrote:
> > Hello all,
> >
> > can anyone recommend a better way to achieve (guest agnostic) MAC-address
> > isolation in qemu/kvm then with user-mode networking?
> >
> > I have multiple guests requiring the same MAC-address, and user-mode/slirp
> > networking is quite slow.
> >
> 
> You can put the different guests on different bridges, and use IP 
> routing to connect the two bridges; or you can use ebtables to mangle 
> the MAC addresses.
> 

Could you possibly give me an example? Unfortunately my networking skills are not the best,
which is not to say that I don't try. The best I can do, after reading the
documentation I could find, is:

ebtables -t nat -A PREROUTING  -d 00:11:11:11:11:11 -j dnat --to-dest 00:01:23:45:67:89 --dnat-target ACCEPT
ebtables -t nat -A POSTROUTING -s 00:01:23:45:67:89 -j snat --to-src 00:11:11:11:11:11 --snat-arp --snat-target ACCEPT

but I can see no way to mangle multiple identical MACs so as to achieve layer-2
isolation for my snapshotted VMs.

Many thanks,

RR

Re: guest MAC-address isolation

[Avi Kivity]

  On 08/20/2010 08:48 PM, Robert Rebstock wrote:
> Hello.
> Thank you for your answer.
>
>> ----- Original Message -----
>> From: "Avi Kivity"<avi@redhat.com>
>> To: "Robert Rebstock"<rebstock@scienceworks.com>
>> Cc: kvm@vger.kernel.org
>> Sent: Tuesday, August 17, 2010 11:36:41 AM
>> Subject: Re: guest MAC-address isolation
>>
>>    On 08/06/2010 08:09 PM, Robert Rebstock wrote:
>>> Hello all,
>>>
>>> can anyone recommend a better way to achieve (guest agnostic) MAC-address
>>> isolation in qemu/kvm then with user-mode networking?
>>>
>>> I have multiple guests requiring the same MAC-address, and user-mode/slirp
>>> networking is quite slow.
>>>
>> You can put the different guests on different bridges, and use IP
>> routing to connect the two bridges; or you can use ebtables to mangle
>> the MAC addresses.
>>
> Could you possibly give me an example? Unfortunately my networking skills are not the best,
> which is not to say that I don't try. The best I can do, after reading the
> documentation I could find, is:
>
> ebtables -t nat -A PREROUTING  -d 00:11:11:11:11:11 -j dnat --to-dest 00:01:23:45:67:89 --dnat-target ACCEPT
> ebtables -t nat -A POSTROUTING -s 00:01:23:45:67:89 -j snat --to-src 00:11:11:11:11:11 --snat-arp --snat-target ACCEPT
>
> but I can see no way to mangle multiple identical MACs so as to achieve layer-2
> isolation for my snapshotted VMs.
>

You could use --in-interface to select packets based on which guest they 
originated from (for snat).

-- 
I have a truly marvellous patch that fixes the bug which this
signature is too narrow to contain.