On Wed, May 06, 2015 at 08:15:43AM +0200, David Borman wrote: > Iam just studying the faqs but i cannot find a valid answer to this specific > question about the subject topic.I have a Virtual KVM-Instance running and > iam curious about the internals and how the packets are routed from the > physical (hostsystem) layer to the Internal, virtual Guest interface > (virtio, e1000, rtl). Iam talking about ethernet and IP/TCP/UDP/ICMP Data > only. > > "How" is an inboud packet, reaching the kvm hosts physical ethernetcard > hardware forwarded to the virtual networkcard inside the guest os and what > is happening if the guest os firewall admin decides to drop/reject/accept > the packet? > > 1) Will the KVM-Hostsystem drop this packet physically? > 2) Is the KVM-Guest OS dropping the packet at the virtual guest network > adapter? > (and if so, what data remains inside the KVM Hostsystem memory, at the host > nic driver level after a guest os singanls to drop the virtual packet?) > > Are there docs out there where i can study the details? The network stack is very flexible, so many configurations are possible. A popular bridged Ethernet configuration is: guest <-> vhost_net.ko <-> tap <-> software bridge <-> eth0 The flow is: 1. Packet is received on physical eth0 2. Packet is given to software bridge and the destination MAC address is used to determine the bridge port for forwarding. 3. Packet is forwarded to the tap device on the host that is associated with the guest. 4. vhost_net reads the packet from the tap device into guest memory and then signals the guest. 5. Guest notices the received packet and its virtio_net driver hands the packet to the guest network stack. All of these components can be swapped out: software bridge vs OpenVSwitch, software bridge vs macvtap, vhost_net vs NIC emulation in QEMU, bridging vs NAT, etc. If you are just learning about this, focus on the one configuration you care about and ignore all others for now. You can use firewall rules on the host on any of the 3 network interfaces (physical eth0, software bridge interface, or tap). If the packets are dropped by the host then the guest will not see them. If the guest relies on its own firewall then packets are transferred into the guest. Once they are inside the guest the host no longer cares about them and they are in guest memory. Whether or not the guest decides to drop them makes no difference to the host. Stefan
Attachment:
pgpx0QtLHsYUF.pgp
Description: PGP signature
