On Thu, May 07, 2009 at 08:57:03AM -0700, Ross Boylan wrote: > I'm trying to understand bridging with KVM, but am still puzzled. > I think that the recommended bridging with TAP means that packets from > the VM will end up going out the host card attached to the default > gateway. But it looks to me as if their IP address is unchanged, which > means replies will never reach me. Is that correct? Do I need to NAT > the packets, or is something already doing that? > > Some documents indicate that I need to bring the interfaces (e.g., eth0) > down before I bring the bridge up, and that afterwards only the bridge > will have an IP address. Is that right? Here's how I think of a Linux "soft" bridge: the bridge consists of an Ethernet switch, and a regular interface (named after the bridge) that is connected to that switch. This is why you "give an IP address to the bridge", because "the bridge" is also a NIC of it's own. If you attach any physical interfaces (eg ethN) to the bridge, they aren't NICs any more, they're just network cables you plug into the switch to pass traffic to other switches. Attaching VMs to the switch is just hooking up more cables between the switch and the VMs. If you want your host to do NAT for your VMs, then you do as you would for any other firewall -- you have one switch (the bridge, in this case) with all of your VMs and the "internal" interface of the host (in this case, the bridge as well) all plugged in, and then a second interface to the outside world (the physical NIC). > Some documents, e.g., > http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html, indicate > iptables should "just work" with bridging. Yes, iptables *does* "just work" with bridging, in the sense that iptables can still filter IP packets passing through it's interfaces. What you *can't* do, though, is have some sort of magic iptables filter deep in the bridge that plays with all traffic as it traverses. For that, there's ebtables, which is iptables but for Ethernet (rather than IP) traffic. Personally, I've never used ebtables in my life. > However, I've seen someone > with a 2.6.15 kernel ask about firewalling and be told they needed to > patch the kernel to get it work (don't have the reference handy). > Should it just work? It should Just Work, and if you've got to patch any 2.6 (or even probably 2.4) kernel then you're doing something *very* esoteric. - Matt -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html