qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed
* [Qemu-devel] Macvtap or tap+bridge
@ 2012-04-04 14:18 Chris Webb
  0 siblings, 0 replies; only message in thread
From: Chris Webb @ 2012-04-04 14:18 UTC (permalink / raw)
  To: qemu-devel

When I first started setting up qemu-kvm VMs for customers, I set up their
internet-facing network with tap interfaces enslaved to a host bridge along
with the physical network card of the host, something like

  ip tuntap add dev tapN mode tap
  brctl addif br0 tapN
  ip link set tapN up
  qemu-kvm ... -net nic,... -net tap,ifname=tapN,script=no,downscript=no

More recently on my development boxes, I've been using macvtap in the form

  ip link add link eth0 name guestN address MAC type macvtap mode bridge
  ip link set guestN up
  qemu-kvm ... -net nic,macaddr=MAC,... -net tap,fd=3
           3<>/dev/tap$(< /sys/class/net/$1/ifindex)

In the bridge-based setup, I use ebtables rules on the tapN port to prevent
guests from receiving or emitting packets with the wrong MAC address, and also
to prevent them from ARPing for or more generally receiving or emitting
packets from IP addresses which don't belong to them.

With macvtap, the setup and configuration is nicer and the MAC address
restriction is built-in, but there doesn't appear to be a mechanism to apply
any other filter, such as that which would be needed to restrict guests to
particular IP addresses or from emitting non-IP protocols.

On the other hand, the machines using the bridges appear to be much easier to
DoS with packet floods than normal linux hosts, presumably because their
public-facing interfaces run in promiscuous mode. Macvtap-based hosts with
their simple, static configuration seem as immune as normal linux hosts with
standard one-eth0-interface networking.

Is there a way to get the best of both worlds? I'd love to have the static MAC
setup and DoS resistance of macvtap but still be able to apply some basic
filter rules, restricting VMs to the handful of ipv4/6 addresses they're
entitled to. In the absence of ebtables for macvtap, is there some way I can
send packets relating to a macvtap interface through netfilter, in the same
way CONFIG_BRIDGE_NETFILTER would do for packets traversing a linux bridge?

Best wishes,

Chris.

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2012-04-04 14:19 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-04-04 14:18 [Qemu-devel] Macvtap or tap+bridge Chris Webb

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).