Hi Laine, thanks for your answer, I really appreciate that. On Wed, Jan 02, 2019 at 11:34:30AM -0500, Laine Stump wrote: > On 12/16/18 4:59 PM, Marc Haber wrote: > > I would like to run a network firewall as a VM on a KVM host. There are > > ~ 25 VLANs delivered to the KVM host on three dedicated links, no LACP > > or other things. I have the VLANs 100-180 on the host's enp1s0, the VLANs > > 200-280 on the host's enp2s0 and the VLANs 300-380 on the host's enp3s0. > > > > To save myself from configuring all VLANs on the KVM host, I'd like to > > hand the entire ethernet link to the VM and to have the VLAN interfaces > > there. Using classical Linux bridges (brctl), things work fine. > > When I asked the person I go to with questions about macvtap (because he > knows the internals), his response was "if a Linux host bridge works, then > he should use that". In other words, he was skeptical that what you want to > do could be made to work with macvtap. I see. A Linux host bridge is what I build with brctl? > Is there a specific reason you need to use macvtap than a Linux host bridge? I somehow got the impression that using macvtap is the more "modern" and also more performant approach to bring network to VMs. Since the VM in question is a Firewall, I'd love to have the performance impact caused by virtualization minimized[1]. If this is a misconception, it might have been partially caused by some colleagues at my last customer's site who very vocal about deprecating the classical brctl bridges in favor of macvtap/macvlan, and the fact that virt-manager uses macvtap by default and needs to be massaged into allowing a classic brctl bridge. Greetings Marc [1] The transfer rate of a tunneled IPv6 link with a dedicated VM handling the tunnel and a dedicated VM handling firewalling with brctl bridges (ingress packet - hypervisor - firewall VM - hypervisor - tunnel VM - hypervisor - firewall VM - hypervisor - egress packet) maxes out at about 15 Mbit on the APU device being used, with negligible load on the two VMs and the hypervisor kernel spending a non-negligible amount of its time inside the kernel wich I interpret as the context changes killing the machine -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421 _______________________________________________ libvirt-users mailing list libvirt-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvirt-users
