Hi Laine, thanks for your answer, I really appreciate that. On Wed, Jan 02, 2019 at 11:34:30AM -0500, Laine Stump wrote:
On 12/16/18 4:59 PM, Marc Haber wrote:
I would like to run a network firewall as a VM on a KVM host. There are ~ 25 VLANs delivered to the KVM host on three dedicated links, no LACP or other things. I have the VLANs 100-180 on the host's enp1s0, the VLANs 200-280 on the host's enp2s0 and the VLANs 300-380 on the host's enp3s0.
To save myself from configuring all VLANs on the KVM host, I'd like to hand the entire ethernet link to the VM and to have the VLAN interfaces there. Using classical Linux bridges (brctl), things work fine.
When I asked the person I go to with questions about macvtap (because he knows the internals), his response was "if a Linux host bridge works, then he should use that". In other words, he was skeptical that what you want to do could be made to work with macvtap.
I see. A Linux host bridge is what I build with brctl?
Is there a specific reason you need to use macvtap than a Linux host bridge?
I somehow got the impression that using macvtap is the more "modern" and also more performant approach to bring network to VMs. Since the VM in question is a Firewall, I'd love to have the performance impact caused by virtualization minimized[1]. If this is a misconception, it might have been partially caused by some colleagues at my last customer's site who very vocal about deprecating the classical brctl bridges in favor of macvtap/macvlan, and the fact that virt-manager uses macvtap by default and needs to be massaged into allowing a classic brctl bridge. Greetings Marc [1] The transfer rate of a tunneled IPv6 link with a dedicated VM handling the tunnel and a dedicated VM handling firewalling with brctl bridges (ingress packet - hypervisor - firewall VM - hypervisor - tunnel VM - hypervisor - firewall VM - hypervisor - egress packet) maxes out at about 15 Mbit on the APU device being used, with negligible load on the two VMs and the hypervisor kernel spending a non-negligible amount of its time inside the kernel wich I interpret as the context changes killing the machine -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421