[libvirt-users] Networking with qemu/kvm+libvirt
Andre Goree
andre at drenet.net
Tue Jan 12 16:16:18 UTC 2016
On 01/11/2016 3:05 pm, Laine Stump wrote:
> On 01/11/2016 02:25 PM, Andre Goree wrote:
>>
>> I have some questions regarding the way that networking is handled via
>> qemu/kvm+libvirt -- my apologies in advance if this is not the proper
>> mailing list for such a question.
>>
>>
>> I am trying to determine how exactly I can manipulate traffic from a
>> _guest's_ NIC using iptables on the _host_.
>
> It depends on which type of networking you are using.
>
> 1) If your guest is using a macvtap device to connect to the outside,
> then iptables processing isn't done on the traffic. I saw something
> awhile back about getting that limitation removed from macvtap in the
> the kernel, but don't remember what is the current status.
>
> 2) If your guest is using a standard tap device that is attached to an
> Open vSwitch bridge, then iptables processing isn't done - ovs has
> it's own version of packet filtering (that's as much as I know about
> it). Note that OpenStack's networking uses OVS, but sets up a separate
> Linux host bridge device for each guest device and puts it in between
> the guest's tap device and the OVS bridge at least partly so that
> iptables filtering can be done on the guest traffic.
>
> 3) If your guest is using a standard tap device that is attached to a
> Linux host bridge, then all the traffic to/from the guest will be
> processed by iptables and ebtables on the host. libvirt has a
> subsystem that can help you create filtering rules that will be
> applied to the guest interfaces *on the host*:
>
>
> https://libvirt.org/formatnwfilter.html
>
Thank you so much for this info!
>> On the host, there is a bridged virtual NIC that corresponds to the
>> guest's NIC. That interface does not have an IP setup on it on the
>> host, however within the vm itself the IP is configured and everything
>> works as expected.
>>
>> During my testing, I've seemingly determined that traffic from the vm
>> does NOT traverse iptables on the host, but I _can_ in fact see the
>> traffic via tcpdump on the host. This seems odd to me, unless the
>> traffic is passed on during interaction with the kernel, and thus
>> never actually reaches iptables. I've gone as far as trying to log
>> via iptables any and all traffic traversing the guest's interface on
>> the host, but to no avail (iptables does not see any traffic from the
>> guest's NIC on the host).
>>
>> Is this the way it's supposed to work? And if so, is there any way I
>> can do IP/port redirection silently on the _host_?
>
> libvirt's "default" network does that for traffic outbound from the
> guest. For traffic inbound to a guest connected to libvirt's default
> network (or any other Linux host bridge), you can add a DNAT rule.
> Here is an example:
>
> http://wiki.libvirt.org/page/Networking#Forwarding_Incoming_Connections
>
> You may also find this article useful:
>
> https://libvirt.org/firewall.html
Again, much thanks! You've pointed me in the right direction, something
I've direly needed for months, lol.
--
Andre Goree
-=-=-=-=-=-
Email - andre at drenet.net
Website - http://www.drenet.net
PGP key - http://www.drenet.net/pubkey.txt
-=-=-=-=-=-
More information about the libvirt-users
mailing list