[Qemu-devel] tun interface

[Qemu-devel] tun interface

[Andrej]

[-- Attachment #1.1: Type: text/plain, Size: 379 bytes --]

Hi Guys,

Just a brief question (not covered too well in the documentation
I'm afraid). The documentation says that qemu will create a
device in /dev/net/tun - but on my machine it doesn't - what
do I need to do to be able to access the network from a
qemu virtual machine? I'm familiar with the concept of NATing
and know how to set-up iptables to achieve that.



Cheers,
Tink

[-- Attachment #1.2: public_key.asc --]
[-- Type: application/pgp-keys, Size: 1454 bytes --]

[-- Attachment #2: signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [Qemu-devel] tun interface

[Joe Menola]

On Thu August 26 2004 3:30 pm, Andrej wrote:
> Hi Guys,
>
> Just a brief question (not covered too well in the documentation
> I'm afraid). The documentation says that qemu will create a
> device in /dev/net/tun - but on my machine it doesn't - what
> do I need to do to be able to access the network from a
> qemu virtual machine? I'm familiar with the concept of NATing
> and know how to set-up iptables to achieve that.
>
You need kernel support for tun (modprobe tun).

You'll find it under "Networking support" using xconfig. Once the module is 
loaded /dev/net/tun will be created.

-jm

Re: [Qemu-devel] tun interface

[Andrej]

On Fri, 27 Aug 2004 09:20, Joe Menola wrote:
Hi Joe,

Thanks for the response.
> You need kernel support for tun (modprobe tun).

> You'll find it under "Networking support" using xconfig. Once
> the module is loaded /dev/net/tun will be created.
It is present, but qemu doesn't create anything under
/dev/net/tun even with tun pre-loaded. Do I  need to 
make the executable SUID or something?


> -jm
Andrej

Re: [Qemu-devel] tun interface

[Jim C. Brown]

On Fri, Aug 27, 2004 at 11:37:23AM +1200, Andrej wrote:
> On Fri, 27 Aug 2004 09:20, Joe Menola wrote:
> Hi Joe,
> 
> Thanks for the response.
> > You need kernel support for tun (modprobe tun).
> 
> > You'll find it under "Networking support" using xconfig. Once
> > the module is loaded /dev/net/tun will be created.
> It is present, but qemu doesn't create anything under
> /dev/net/tun even with tun pre-loaded. Do I  need to 
> make the executable SUID or something?
> 
> 
> > -jm
> Andrej
> 
> 

Keep in mind that the tun device is created in the ethernet namespace, not in
the /dev tree. So, to see it, you'll need to use ifconfig.

/dev/net/tun is accessable by root only, by default. You either need root
perms or you have to change the permissions on /dev/net/tun to let
qemu use it.

> _______________________________________________
> Qemu-devel mailing list
> Qemu-devel@nongnu.org
> http://lists.nongnu.org/mailman/listinfo/qemu-devel
> 

-- 
Infinite complexity begets infinite beauty.
Infinite precision begets infinite perfection.

Re: [Qemu-devel] tun interface

[Andrej]

On Fri, 27 Aug 2004 11:44, Jim C. Brown wrote:
> /dev/net/tun is accessable by root only, by default. You
> either need root perms or you have to change the permissions
> on /dev/net/tun to let qemu use it.

The perms are as follows:
crw-rw----  1 root wheel 10, 200 2001-03-26 09:04 tun
drwxrwxr-x  2 root wheel 72 2001-03-26 09:04 /dev/net
and the user running qemu is member of wheel

Good enough?


Cheers

Re: [Qemu-devel] tun interface

[Joe Menola]

On Thu August 26 2004 6:37 pm, Andrej wrote:
> It is present, but qemu doesn't create anything under
> /dev/net/tun even with tun pre-loaded. Do I  need to
> make the executable SUID or something?

By default qemu looks for /etc/qemu-ifup. This can be over ridden using  -n 
<path to network script>.
In either case this script needs to run as root. I use sudo for this.

My /etc/qemu-ifup

#!/bin/sh
sudo /sbin/ifconfig $1 <ip address>

script also needs to be executable.

This is only my understanding of the tun concept, and it works. :)

-jm

Re: [Qemu-devel] tun interface

[Renzo Davoli]

Both actions (change tuntap permissions) and sudo permission for
ifconfig are deprecated for security.

If you are running qemu on your own computer this can be a minor
problem, although can be a hint in case of intrusion.
The Unix family have had minor problems (I'd say no problems) with
viruses & Co. for the clear multiuser approach and 
policy of access permission.

Anyway if you plan to run qemu in public places (e.g. a University lab)
tuntap permissions and sudo cannot be changed, if you do not like
risks.

	renzo

P.S. vde was designed also for this problem. NB it is not an
advertisement.

Re: [Qemu-devel] tun interface

[Andrej]

On Fri, 27 Aug 2004 12:02, Joe Menola wrote:
> My /etc/qemu-ifup
>
> #!/bin/sh
> sudo /sbin/ifconfig $1 <ip address>
>
> script also needs to be executable.
>
> This is only my understanding of the tun concept, and it
> works. :)
That's quite odd ... when there was no qemu-ifup my virtual
Slackware install had a network interface that it brought
up ... with tun and NATing I don't seem to get eth0 anymore.


Cheers,
Tink

Re: [Qemu-devel] tun interface

[Joe Menola]

On Fri August 27 2004 6:15 pm, Andrej wrote:
> On Fri, 27 Aug 2004 12:02, Joe Menola wrote:
> > My /etc/qemu-ifup
> >
> > #!/bin/sh
> > sudo /sbin/ifconfig $1 <ip address>
> >
> > script also needs to be executable.
> >
> > This is only my understanding of the tun concept, and it
> > works. :)
>
> That's quite odd ... when there was no qemu-ifup my virtual
> Slackware install had a network interface that it brought
> up ... with tun and NATing I don't seem to get eth0 anymore.
>
>
I believe Qemu defaults to user-net if no ifup is found. My guess is your tun 
device isn't setup properly.

You must setup iptables, I start iptables via init, so I add MASQ rule
 
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
/etc/rc.d/init.d/iptables save

(this way I don't have to worry about nat after each boot)


And after Qemu is running, root must setup ip_forward. This cannot be done 
with iptables running. I do this via a script called by qemu-ifup>

#!/bin/sh
/etc/rc.d/init.d/iptables stop
echo "1" >&/proc/sys/net/ipv4/ip_forward
/etc/rc.d/init.d/iptables start

-jm