On Mon, Dec 28, 2009 at 09:14:58PM +0100, richard lucassen wrote: > Hello list, > > As there is another way to connect VM's to the hosts network apart from > bridging, so I wrote a simple howto: > > http://www.xaq.nl/kvm-tap-howto.txt > > I have used this method quite a lot ever since I started using KVM > (KVM-8?) > > Would this be useful enough to add it to the networking howto? > > R. I'm afraid I'm a bit more insane in this reguard... But I'm on an older ubuntu that still believes in downing everything auto in /etc/network/interfaces or managed via network manager upon suspend or hibernate. Anyways the background. 1) I'm forgetful 2) I'm lazy 3) I don't like network disappearing on VMs. 4) I don't like fiddling with settings when moving from wired to wireless 5) Our network facilities folks have some issues 6) Our corporate security folks are sometimes insane, but this actually led to a clever idea inspired by iptables-save. apt-get install vde2 (kvm package depends on bridge-utils) cat >> /etc/network/interfaces << EEOOTT # Manual interfaces are not dropped on suspend and resume iface vde0 inet manual vde2-switch -t vde0 # But we don't really care if the bridge goes up or down auto br_vde0 iface br_vde0 inet static address 192.168.0.1 netmask 255.255.255.0 bridge_ports vde0 bridge_maxwait 0 pre-up ifup vde0 EEOOTT cat > /etc/iptables.d/filter/INPUT/00-pr-vm.rule << EEOOTT # These go into the INPUT chain on the filter table -A INPUT -i br_vde0 -s 192.168.0.0/24 -j ACCEPT -A INPUT -i br_vde0 -d 255.255.255.255/32 -j ACCEPT EEOOTT cat /etc/iptables.d/filter/FORWARD/00-pr-vm.rule << EEOOTT # These go into the FORWARD chain on the filter table -A FORWARD -i eth0 -o br_vde0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i br_vde0 -o eth0 -j ACCEPT -A FORWARD -i wlan0 -o br_vde0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i br_vde0 -o wlan0 -j ACCEPT EEOOTT cat /etc/iptables.d/nat/POSTROUTING/00-vm-nat.rule << EEOOTT # These go into the POSTROUTING chain of the nat table -A POSTROUTING -o eth0 -j MASQUERADE -A POSTROUTING -o wlan0 -j MASQUERADE EEOOTT And Voila... I don't have to remember to manually setup the bridge between VDE and a tap device on the host, don't have to watch VDE or tap devices disappear on suspend, and networking just keeps working when I switch from wired to wireless (Well existing connections get a little unhappy, but that happens on the host too) I'll leave it as an exercise for the reader how the iptables-save format file is generated. -- Chris Dukes -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
