From mboxrd@z Thu Jan 1 00:00:00 1970 From: Robert Rebstock Subject: guest MAC-address isolation Date: Sun, 25 Jan 2009 00:56:26 +0100 (CET) Message-ID: <5133049.41461232841386889.JavaMail.root@mail> References: <23005102.41431232840956986.JavaMail.root@mail> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: QUOTED-PRINTABLE To: kvm@vger.kernel.org Return-path: Received: from mail.w33-berlin.de ([83.236.226.202]:53854 "EHLO mail.w33-berlin.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753451AbZAXQMz convert rfc822-to-8bit (ORCPT ); Sat, 24 Jan 2009 11:12:55 -0500 Received: from localhost (localhost.localnet [127.0.0.1]) by mail.w33-berlin.de (Postfix) with ESMTP id B18DE172404C for ; Sun, 25 Jan 2009 00:56:29 +0100 (CET) Received: from mail.w33-berlin.de ([127.0.0.1]) by localhost (mail.w33-berlin.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FDUKCQyoeq+Q for ; Sun, 25 Jan 2009 00:56:27 +0100 (CET) Received: from mail.w33-berlin.de (mail.w33-berlin.de [10.254.3.2]) by mail.w33-berlin.de (Postfix) with ESMTP id 2D7C01724048 for ; Sun, 25 Jan 2009 00:56:27 +0100 (CET) In-Reply-To: <23005102.41431232840956986.JavaMail.root@mail> Sender: kvm-owner@vger.kernel.org List-ID: Hello kvmers. I am having network issues that I suspect are related to kvm's user mode networking; in particular: I have a server setup with virtualized kvm clients started with=20 "user mode" networking and RDP port redirection as follows: =C2=A07719 ? =C2=A0 =C2=A0 =C2=A0 =C2=A0Sl =C2=A0 454:05 =C2=A0\_ kvm -= m 2048 -redir tcp:3394::3389 ... =C2=A07731 ? =C2=A0 =C2=A0 =C2=A0 =C2=A0Sl =C2=A0 =C2=A097:58 =C2=A0\_ = kvm -m 2048 -redir tcp:3393::3389 ... =C2=A07768 ? =C2=A0 =C2=A0 =C2=A0 =C2=A0Sl =C2=A0 109:23 =C2=A0\_ kvm -= m 2048 -redir tcp:3392::3389 ... =C2=A07801 ? =C2=A0 =C2=A0 =C2=A0 =C2=A0Sl =C2=A0 =C2=A043:46 =C2=A0\_ = kvm -m 2048 -redir tcp:3391::3389 ... =C2=A07823 ? =C2=A0 =C2=A0 =C2=A0 =C2=A0Sl =C2=A0 =C2=A016:19 =C2=A0\_ = kvm -m 2048 -redir tcp:3398::3389 ... =C2=A07834 ? =C2=A0 =C2=A0 =C2=A0 =C2=A0Sl =C2=A0 =C2=A059:38 =C2=A0\_ = kvm -m 2048 -redir tcp:3395::3389 ... which are being accessed by linux rdesktop clients. Although server and clients are on the same LAN, RDP-traffic is only up= dated in correlation to user input, leaving me looking for a way to circumven= t this, so that the users don't have to frantically thrash their mouse to and f= ro, to get data on their usb-sticks or watch YouTube. ;-) All kvm's are using (and must use) the same MAC-address; this shouldn't= be a problem with "-net user", right? Aside from my specific setup, what I'm really looking for is the best w= ay to achieve "guest MAC-address isolation". Is slirpvde worth trying, or maybe tcp-bridge (I suspect that the perfo= rmance is not acceptable)? Any ideas on whether there is a way to achieve "guest MAC address isola= tion" with ebtables? I can get "MAC NAT" (sort of) working with: ebtables -t nat -A PREROUTING=C2=A0 -d 00:11:11:11:11:11 -j dnat --to-d= est 00:01:23:45:67:89 --dnat-target ACCEPT ebtables -t nat -A POSTROUTING -s 00:01:23:45:67:89 -j snat --to-src 00= :11:11:11:11:11 --snat-arp --snat-target ACCEPT but I have no idea on how I might be able to achieve "guest MAC address= isolation" with multiple guests needing the same MAC. My current non "user mode" networking setup looks as such (alittle debi= an specific): /etc/network/interfaces: auto lo iface lo inet loopback auto br0 iface br0 inet static bridge_ports eth0 bridge_maxwait 0 address 192.168.2.200 netmask 255.255.255.0 gateway 192.168.2.1 pre-up modprobe ip_conntrack_tftp pre-up modprobe ip_conntrack_ftp pre-up modprobe ip_nat_tftp pre-up modprobe ip_nat_ftp auto natbr0 iface natbr0 inet static bridge_ports dummy bridge_maxwait 0 address 192.168.99.1 netmask 255.255.255.0 up /usr/sbin/dnsmasq --interface=3Dnatbr0 --except-interface=3D= lo --bind-interfaces --user=3Dnobody \ --dhcp-range=3Dnatbr0,192.168.99.50,192.168.99.100,255.255.255= =2E0,192.168.99.255,72h \ --domain=3Dexample.net --pid-file=3D/var/run/natbr0_dnsmasq.pi= d --conf-file post-up echo 1 > /proc/sys/net/ipv4/ip_forward post-up iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE post-up iptables -A FORWARD -s 192.168.99.0/24 -j ACCEPT post-up iptables -A FORWARD -d 192.168.99.0/24 -j ACCEPT /etc/kvm/kvm-ifup-br: #!/bin/sh BRIDGE=3Dbr0 /sbin/ifconfig $1 0.0.0.0 up /usr/sbin/brctl addif $BRIDGE $1 /etc/kvm/kvm-ifup-natbr: #!/bin/sh BRIDGE=3Dnatbr0 /sbin/ifconfig $1 0.0.0.0 up /usr/sbin/brctl addif $BRIDGE $1 I would be most interested in an (guest agnostic) ebtables solution. An= y help or insight is much appreciated. Thank you in advance, best regards, Robert PS. Please BCC me, as I am not on the list.