From: Kurt Neufeld <kneufeld@burgundywall.com>
To: Avi Kivity <avi@qumranet.com>
Cc: kvm-devel@lists.sourceforge.net
Subject: Re: howto set up a virtual firewall?
Date: Wed, 20 Feb 2008 23:16:37 -0700 [thread overview]
Message-ID: <47BD1745.5080707@burgundywall.com> (raw)
In-Reply-To: <47BC2EA1.600@qumranet.com>
Avi Kivity wrote:
>
> Assuming you have eth0 on the host, tap0 on the host visible as eth0 in
> the guest, and tap1 in the host visible as eth1 in the guest, you can
> add a bridge between eth0 and tap0, and use tap1 as the nic in the host
> for IP (e.g. run 'dhclient tap1' to obtain an internal IP address).
It turns out I did have everything correctly configured but it still
doesn't work. The problem is that I cannot get a DHCP address on my vm.
I can see the DHCP Request packets going out and can see the Replies
getting back to my physical card that I'm running tcpdump on. But for
some reason the vm doesn't get/see them. The host has no iptables rules,
all policies set to ACCEPT (yikes!).
I even tried 'echo 1 > /proc/sys/net/ipv4/conf/*/bootp_relay' but that
didn't help.
If I configure the vm nic with a static address (the one that my host
just gave up) then I can surf the net, even forward packets from my host
machine that no longer has a public ip address. Unfortunately that is
not an acceptable long term solution.
Some general questions, should br0 be up or down? What should my vm MAC
be? The same as my physical card (peth) which is also the same as the
bridge (br0)? The vnet0 does not match. (output later)
Somewhat related, I setup my internal nic as a bridge as well, but I
can't get the vm to get a dhcp address there either. Can one member of a
bridge get a dhcp address from another member of the bridge?
I'm running fedora 8 with kernel 2.6.23.15-137.fc8 if that makes any
difference.
[root@xavier ~]
# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.0050047fb5a3 no peth0
vnet0
br1 8000.001617d8fc32 no peth1
vnet1
br0 is external
br1 is internal
[root@xavier ~]
# ifconfig |grep HWaddr
br0 Link encap:Ethernet HWaddr 00:50:04:7F:B5:A3
br1 Link encap:Ethernet HWaddr 00:16:17:D8:FC:32
peth0 Link encap:Ethernet HWaddr 00:50:04:7F:B5:A3
peth1 Link encap:Ethernet HWaddr 00:16:17:D8:FC:32
vnet0 Link encap:Ethernet HWaddr 00:FF:79:58:28:0F
vnet1 Link encap:Ethernet HWaddr 00:FF:DB:40:5D:D2
Thanks for the replies, please keep them coming!
Kurt
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
next prev parent reply other threads:[~2008-02-21 6:16 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-02-20 13:30 howto set up a virtual firewall? Kurt Neufeld
2008-02-20 13:44 ` Avi Kivity
2008-02-20 13:58 ` Javier Guerra
2008-02-21 6:16 ` Kurt Neufeld [this message]
2008-02-25 20:23 ` Kurt Neufeld
-- strict thread matches above, loose matches on Subject: below --
2008-02-20 13:24 Kurt Neufeld
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47BD1745.5080707@burgundywall.com \
--to=kneufeld@burgundywall.com \
--cc=avi@qumranet.com \
--cc=kvm-devel@lists.sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox