On 03/31/2011 04:29 PM, Robert Šmol wrote:
Hi,
I want to forward all traffic received on eth1 into virtual domain
'firewall' (where I want to configure public IP+shorewall)
I've created following network:
node002 qemu # cat networks/int-001.xml
<network>
<name>int-001</name>
<bridge name="intbr0" />
<forward mode="route" device="eth1"/>
</network>
virsh # net-create networks/int-001.xml
error: Failed to create network from networks/int-001.xml
error: internal error Forwarding requested, but no IP address provided
You don't want to setup a virtual network for this type of configuration
- a libvirt virtual network is in reality a bridge device that is only
connected to guest interfaces, not to any physical interface. Because no
physical device is connected to that bridge, the only way out to the
rest of the world is via the host's IP routing, and in order for the
bridge to participate in routing, it must have an IP address assigned to
it (and the guests must be on the same subnet as that IP address). So,
not only will a virtual network not give you the functionality you want,
also you are trying to configure the virtual network in an unusable
manner (you say you want it to forward, but you don't give it an IP
address, which it needs in order to participate in IP routing).
But wan to set the public IP on the Firewall side. How do I do that?
Would the macvtap help me?
Yes, you need to either use macvtap (if your kernel supports it) and
don't configure an IP address for eth1 on the host, or configure a
bridge that's directly connected to eth1, don't supply that bridge with
any IP address (so the host can't directly talk through it), and connect
the guest to the bridge. macvtap will be simpler and more efficient (if
you have it :-))