Re: [libvirt-users] Networking with qemu/kvm+libvirt
On 01/11/2016 02:25 PM, Andre Goree wrote:
I have some questions regarding the way that networking is handled via
qemu/kvm+libvirt -- my apologies in advance if this is not the proper
mailing list for such a question.
I am trying to determine how exactly I can manipulate traffic from
a _guest's_ NIC using iptables on the _host_.
It depends on which type of networking you are using.
1) If your guest is using a macvtap device to connect to the outside,
then iptables processing isn't done on the traffic. I saw something
awhile back about getting that limitation removed from macvtap in the
the kernel, but don't remember what is the current status.
2) If your guest is using a standard tap device that is attached to an
Open vSwitch bridge, then iptables processing isn't done - ovs has it's
own version of packet filtering (that's as much as I know about it).
Note that OpenStack's networking uses OVS, but sets up a separate Linux
host bridge device for each guest device and puts it in between the
guest's tap device and the OVS bridge at least partly so that iptables
filtering can be done on the guest traffic.
3) If your guest is using a standard tap device that is attached to a
Linux host bridge, then all the traffic to/from the guest will be
processed by iptables and ebtables on the host. libvirt has a subsystem
that can help you create filtering rules that will be applied to the
guest interfaces *on the host*:
https://libvirt.org/formatnwfilter.html
On the host, there is a bridged virtual NIC that corresponds to the
guest's NIC. That interface does not have an IP setup on it on the
host, however within the vm itself the IP is configured and everything
works as expected.
During my testing, I've seemingly determined that traffic from the vm
does NOT traverse iptables on the host, but I _can_ in fact see the
traffic via tcpdump on the host. This seems odd to me, unless the
traffic is passed on during interaction with the kernel, and thus
never actually reaches iptables. I've gone as far as trying to log
via iptables any and all traffic traversing the guest's interface on
the host, but to no avail (iptables does not see any traffic from the
guest's NIC on the host).
Is this the way it's supposed to work? And if so, is there any way I
can do IP/port redirection silently on the _host_?
libvirt's "default" network does that for traffic outbound from the
guest. For traffic inbound to a guest connected to libvirt's default
network (or any other Linux host bridge), you can add a DNAT rule. Here
is an example:
http://wiki.libvirt.org/page/Networking#Forwarding_Incoming_Connections
You may also find this article useful:
https://libvirt.org/firewall.html