simple networking howto

simple networking howto

[richard lucassen]

Hello list,

As there is another way to connect VM's to the hosts network apart from
bridging, so I wrote a simple howto:

http://www.xaq.nl/kvm-tap-howto.txt

I have used this method quite a lot ever since I started using KVM
(KVM-8?)

Would this be useful enough to add it to the networking howto?

R.

-- 
___________________________________________________________________
It is better to remain silent and be thought a fool, than to speak
aloud and remove all doubt.

+------------------------------------------------------------------+
| Richard Lucassen, Utrecht                                        |
| Public key and email address:                                    |
| http://www.lucassen.org/mail-pubkey.html                         |
+------------------------------------------------------------------+

Re: simple networking howto

[Avi Kivity]

On 12/28/2009 10:14 PM, richard lucassen wrote:
> Hello list,
>
> As there is another way to connect VM's to the hosts network apart from
> bridging, so I wrote a simple howto:
>
> http://www.xaq.nl/kvm-tap-howto.txt
>
> I have used this method quite a lot ever since I started using KVM
> (KVM-8?)
>
> Would this be useful enough to add it to the networking howto?
>    

I think so.  As its own page (with a link) so as not to add to the 
confusion, please.

-- 
I have a truly marvellous patch that fixes the bug which this
signature is too narrow to contain.

Re: simple networking howto

[Riccardo]

---------- Original Message -----------
From: Avi Kivity <avi@redhat.com>
To: kvm@vger.kernel.org
Cc: richard lucassen <mailinglists@lucassen.org>
Sent: Mon, 28 Dec 2009 22:28:45 +0200
Subject: Re: simple networking howto

> On 12/28/2009 10:14 PM, richard lucassen wrote:
> > Hello list,
> >
> > As there is another way to connect VM's to the hosts network apart from
> > bridging, so I wrote a simple howto:
> >
> > http://www.xaq.nl/kvm-tap-howto.txt
> >
> > I have used this method quite a lot ever since I started using KVM
> > (KVM-8?)
> >
> > Would this be useful enough to add it to the networking howto?
> >    
>
> I think so.  As its own page (with a link) so as not to add to the
> confusion, please.
>
> --
> I have a truly marvellous patch that fixes the bug which this
> signature is too narrow to contain.
>
> --
> To unsubscribe from this list: send the line "unsubscribe kvm" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
------- End of Original Message -------

I think this from gentoo-wiki.com/wiki/KVM it's usefull for your howto    
Add in /etc/sysctl.conf:
#
# Setup bridge interface for KVM
#
net.bridge.bridge-nf-call-arptables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-ip6tables = 0

With this lines it isn't necessary the iptables rules.
Best regards,

Riccardo

Re: simple networking howto

[Chris Dukes]

On Mon, Dec 28, 2009 at 09:14:58PM +0100, richard lucassen wrote:
> Hello list,
> 
> As there is another way to connect VM's to the hosts network apart from
> bridging, so I wrote a simple howto:
> 
> http://www.xaq.nl/kvm-tap-howto.txt
> 
> I have used this method quite a lot ever since I started using KVM
> (KVM-8?)
> 
> Would this be useful enough to add it to the networking howto?
> 
> R.

I'm afraid I'm a bit more insane in this reguard...
But I'm on an older ubuntu that still believes in downing everything auto
in /etc/network/interfaces or managed via network manager upon
suspend or hibernate.

Anyways the background.
1) I'm forgetful
2) I'm lazy
3) I don't like network disappearing on VMs.
4) I don't like fiddling with settings when moving from wired to wireless
5) Our network facilities folks have some issues
6) Our corporate security folks are sometimes insane, but this actually
led to a clever idea inspired by iptables-save.

apt-get install vde2
(kvm package depends on bridge-utils)

cat >> /etc/network/interfaces << EEOOTT
# Manual interfaces are not dropped on suspend and resume
iface vde0 inet manual
  vde2-switch -t vde0

# But we don't really care if the bridge goes up or down
auto br_vde0
iface br_vde0 inet static
  address 192.168.0.1
  netmask 255.255.255.0
  bridge_ports vde0
  bridge_maxwait 0
  pre-up ifup vde0 

EEOOTT

cat > /etc/iptables.d/filter/INPUT/00-pr-vm.rule << EEOOTT
# These go into the INPUT chain on the filter table 
-A INPUT -i br_vde0 -s 192.168.0.0/24 -j ACCEPT
-A INPUT -i br_vde0 -d 255.255.255.255/32 -j ACCEPT
EEOOTT

cat /etc/iptables.d/filter/FORWARD/00-pr-vm.rule << EEOOTT
# These go into the FORWARD chain on the filter table 
-A FORWARD -i eth0 -o br_vde0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD  -i br_vde0 -o eth0 -j ACCEPT
-A FORWARD -i wlan0 -o br_vde0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD  -i br_vde0 -o wlan0 -j ACCEPT
EEOOTT

cat /etc/iptables.d/nat/POSTROUTING/00-vm-nat.rule << EEOOTT
# These go into the POSTROUTING chain of the nat table
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o wlan0 -j MASQUERADE
EEOOTT

And Voila... I don't have to remember to manually setup the bridge 
between VDE and a tap device on the host, don't have to watch
VDE or tap devices disappear on suspend, and networking just keeps
working when I switch from wired to wireless (Well existing
connections get a little unhappy, but that happens on the host
too)


I'll leave it as an exercise for the reader how the
iptables-save format file is generated.


-- 
Chris Dukes