Also I'm still curious about my questions in my earlier response
to you:
https://www.redhat.com/archives/libvir-list/2011-April/msg00589.html
in particular:
1) does the network on each host always have a <forward ...> element for
forwarding local traffic directly out to the public network? or
alternately, is it possible to force a network on one host to send all
traffic over the L2-over-L3 tunnel to a network on another machine, and
from there out to the public network? It seems that, in this case, there
would be no default route for the systems on the former network (in the
case of no forwarding on a libvirt network, no default route is sent in
the dhcp response - maybe that needs to be configurable...)
"My virtual network" have to be considered as an "inseparable logical
entity" which is distributed on several hosts. This means that each
virtual network portion defined on each host has a <forward ...>
element. AFAIK, if the network definition is different between two hosts
the domain migration fails...
2) Is there an exact 1:1 correspondence between network and tunnel
(or
perhaps there may be multiple tunnels for a network, but those tunnels
are not used by any other network on the same host)? If so, perhaps your
project could be simplified by just putting the tunnel config as a
subelement of <network>, rather than referencing it - this way you would
avoid the need for the extra APIs to define/undefine/etc sectunnel.
In "my framework", each host is connected with another one only by using
one tunnel in where the different traffic flows are isolated by using
mechanisms like VLAN or SELinux labeling.
3) Are your tunnels always L2, or do you have provision for setting
up
L3 tunnels? (Perhaps that could be done by allowing multiple <forward>
elements, and having a <forward> that specified a tunnel rather than a
physical interface, as well as a list of routes as subelements? This,
along with a sectunnel subelement should be enough info to setup a
secure L3 tunnel which would be used for the specified routes, right?
"My tunnels" are always L2-on-L3 because I want to create an
L2-adjacency between guests that are running on different hosts which
are connected by L3 network.
(BTW, after thinking about it some more, I think I agree that
<network>
is the right place to implement this, rather than a virInterface (host)
based <interface> (although that would also be useful, totally separate
from libvirt)).
It seems we can gain a lot from each other! I'm hoping to have my
expansion of the network config completed by the end of June at latest,
but your work may enable/force me to hurry it a bit more than that :-)
Excellent! :-) :-)
--
PAOLO SMIRAGLIA
Department of Control and Computer Engineering
Polytechnic University of Turin
Email: paolo.smiraglia(a)polito.it