Bridge and VLAN trunk

[Gionatan Danti]

Dear list,
I am a question about the best use of bridge, vlan trunk and libvirt.

When dealing with virtual machies bound to specific vlan, I generally 
use a straightforward approach:
eth -> bridge -> vm (for untagged traffic)
eth -> eth.10 -> bridge -> vm
eth -> eth.nn -> bridge -> vm

Now I am faced with enabling vlan trunking for a specific vm (a 
virtualized firewall). The simpler approach would be:
eth -> bridge -> vm (for the vm needing trunk)
eth -> bridge.10 -> macvtap -> vm

The issue with the above method is that any VM on the main untagged vlan 
needs to be bound to the "plain" bridge, having access to *any* traffic 
of *any* other vlan. If this is ok (and the desired behavior) for the 
firewall, it is clearly wrong for the other VMs.

A simple fix would be to use ebtables to block/drop vlan tagged traffic 
on the main bridge for any virtual adapter except the required one (ie: 
the firewall virtual interface). It works, but I wounder if other 
preferred approaches exists.

For example, I tested another more convoluted setup:
eth -> bridge -> firewall vm
eth -> bridge.10 -> macvtap -> vm
eth -> bridge -> veth0 -> veth1 -> other bridge with vlan filtering on 
-> vm

The last row show the use of veth virtual interface, configurable via ip 
link. Enabling vlan filtering on the second bridge (rather than on the 
first) is to keep vlan filtering simple: rathen than enabling all 
required vlan on the first bridge, I simply enable only untagged traffic 
on the second one.

Does libvirt support bridge vlan filtering natively? Reading the docs, 
it seems to the supported only on OpenVSwitch or SRV-IO based adapter.

Thanks.

-- 
Danti Gionatan
Supporto Tecnico
Assyoma S.r.l. - www.assyoma.it
email: g.danti at assyoma.it - info at assyoma.it
GPG public key ID: FF5F32A8