On Thu, Jan 03, 2019 at 05:15:29PM -0500, Laine Stump wrote:
On 1/3/19 9:23 AM, Marc Haber wrote:
> On Wed, Jan 02, 2019 at 11:34:30AM -0500, Laine Stump wrote:
> > On 12/16/18 4:59 PM, Marc Haber wrote:
> > > I would like to run a network firewall as a VM on a KVM host. There are
> > > ~ 25 VLANs delivered to the KVM host on three dedicated links, no LACP
> > > or other things. I have the VLANs 100-180 on the host's enp1s0, the
VLANs
> > > 200-280 on the host's enp2s0 and the VLANs 300-380 on the host's
enp3s0.
> > >
> > > To save myself from configuring all VLANs on the KVM host, I'd like
to
> > > hand the entire ethernet link to the VM and to have the VLAN interfaces
> > > there. Using classical Linux bridges (brctl), things work fine.
> >
> > When I asked the person I go to with questions about macvtap (because he
> > knows the internals), his response was "if a Linux host bridge works,
then
> > he should use that". In other words, he was skeptical that what you want
to
> > do could be made to work with macvtap.
>
> I see.
>
> A Linux host bridge is what I build with brctl?
Yes, although I wouldn't use the brctl command directly if I were you - much
simpler an more stable to set it up in your host's system network config,
and let initscripts/NetworkManager/whatever your distro uses take care of
creating the bridge / attaching your physical ethernet each time the host
boots.
Of course. Network is managed with systemd-networkd on the system in
question. I was just trying to make clear which construct I mean.
> > Is there a specific reason you need to use macvtap than a
Linux host bridge?
>
> I somehow got the impression that using macvtap is the more "modern"
> and also more performant approach to bring network to VMs. Since the VM
> in question is a Firewall, I'd love to have the performance impact
> caused by virtualization minimized[1].
>
> If this is a misconception, it might have been partially caused by some
> colleagues at my last customer's site who very vocal about deprecating
> the classical brctl bridges in favor of macvtap/macvlan,
Not really. macvtap is useful because it's simple to setup (doesn't require
a change to the host's network config), but is also problematic in some
Ah. If that's the only reason to use it, then it it of couse unsuitable
for the more complex setups.
ways, e.g. it doesn't allow host<->guest communication
(unless you have a
switch that reflects all traffic back to the sender).
I have my hosts on a different VLAN than the guests, so that traffic
between host and guest is forced over the router and the firewall. That
is, IMO, the most standard-conforming way to solve the issue.
These days use of macvtap for guest connection is more the exception
than
the rule.
Interesting, that was not my perception. Thanks for setting me straight
on that.
> and the fact
> that virt-manager uses macvtap by default and needs to be massaged into
> allowing a classic brctl bridge.
On my host that has a bridge named "br0", *that* is what is offered for
connection of a new guest interface by default, not any macvtap interface.
Interesting. I had to create a dummy network in libvirt. But I guess
that you have generated that network from inside libvirt, right?
That does not work for me since I use systemd-networkd, and Debian's
netcf version cannot interface with systemd-networkd. Also I'd like my
network to be up withlit libvirt ;-)
And on another host that has no br0 device, libvirt's own
"default" network
is the default selection for new network devices, followed in the list by
other libvirt virtual networks. In all cases, the selections for macvtap
connections to the host's physical ethernets are included all the way at the
bottom of the list, below both libvirt virtual networks *and* host bridges.
It might be my own fault that my libvirt needs to be massaged into
showing the actually preferred interface.
I'll use brctl bridges in my setup. Thanks for setting me straight.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421