[libvirt-users] Privacy Extension not working in VM
Thomas Luening
toml at thlu.de
Mon Sep 23 16:21:15 UTC 2019
Hi Daniel,
thanks for your response.
> You mention you used 'macvtap' but not which mode of macvtap ? None the
> less if you're using it in bridge mode, or passthroug hmode, there should
> be no filtering of guest traffic in general, since the guest traffic is
> forwarding at the ethernet layer, not IP layer.
>
> The exception would be if you hve the br-netfilter extension loaded which
> causes guest traffic to be processed by the host firewall.
The macvtap-Device is started in bridge mode via a systemd-service-unit
before the VM is started, see below. The kernel module br-netfilter for
Packetfiltering is not loaded. But the PE-based IPv6 is still blocked
furthermore. The MAC-based IPv6 works fine.
BR, Tom
# cat /etc/systemd/system/kvm-network-lan.service
[Unit]
Description=kvm-local-network.service Setup a macvtap-Bridge for
Client-Integration in LAN
After=network.target
Wants=network.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStartPre=/usr/sbin/ip link add link enp2s0 macvtap0 address
d0:50:99:0a:0a:0a type macvtap mode bridge
ExecStartPre=/usr/sbin/ip link set macvtap0 up
ExecStart=/usr/sbin/ip link show macvtap0
ExecStop=/usr/sbin/ip link set macvtap0 down
ExecStopPost=/usr/sbin/ip link del macvtap0
[Install]
WantedBy=multi-user.target
# cat /etc/libvirt/qemu/vm1.xml | grep "<interface" -A 5
<interface type='direct'>
<mac address='d0:50:99:0b:0b:0b'/>
<source dev='macvtap0' mode='bridge'/>
<model type='virtio'/>
<address type='pci' domain='0x0000' bus='0x01' slot='0x00'
function='0x0'/>
</interface>
More information about the libvirt-users
mailing list