From: Chris Webb <chris@arachsys.com>
To: qemu-devel@nongnu.org
Subject: [Qemu-devel] Macvtap or tap+bridge
Date: Wed, 4 Apr 2012 15:18:43 +0100 [thread overview]
Message-ID: <20120404141842.GA3966@arachsys.com> (raw)
When I first started setting up qemu-kvm VMs for customers, I set up their
internet-facing network with tap interfaces enslaved to a host bridge along
with the physical network card of the host, something like
ip tuntap add dev tapN mode tap
brctl addif br0 tapN
ip link set tapN up
qemu-kvm ... -net nic,... -net tap,ifname=tapN,script=no,downscript=no
More recently on my development boxes, I've been using macvtap in the form
ip link add link eth0 name guestN address MAC type macvtap mode bridge
ip link set guestN up
qemu-kvm ... -net nic,macaddr=MAC,... -net tap,fd=3
3<>/dev/tap$(< /sys/class/net/$1/ifindex)
In the bridge-based setup, I use ebtables rules on the tapN port to prevent
guests from receiving or emitting packets with the wrong MAC address, and also
to prevent them from ARPing for or more generally receiving or emitting
packets from IP addresses which don't belong to them.
With macvtap, the setup and configuration is nicer and the MAC address
restriction is built-in, but there doesn't appear to be a mechanism to apply
any other filter, such as that which would be needed to restrict guests to
particular IP addresses or from emitting non-IP protocols.
On the other hand, the machines using the bridges appear to be much easier to
DoS with packet floods than normal linux hosts, presumably because their
public-facing interfaces run in promiscuous mode. Macvtap-based hosts with
their simple, static configuration seem as immune as normal linux hosts with
standard one-eth0-interface networking.
Is there a way to get the best of both worlds? I'd love to have the static MAC
setup and DoS resistance of macvtap but still be able to apply some basic
filter rules, restricting VMs to the handful of ipv4/6 addresses they're
entitled to. In the absence of ebtables for macvtap, is there some way I can
send packets relating to a macvtap interface through netfilter, in the same
way CONFIG_BRIDGE_NETFILTER would do for packets traversing a linux bridge?
Best wishes,
Chris.
reply other threads:[~2012-04-04 14:19 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120404141842.GA3966@arachsys.com \
--to=chris@arachsys.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).