3

I am in the process of doing some thesis research about using ebtables and iptables on a KVM host to perform on-the-fly firewall restrictions to KVM guest VM's.

Here is the problem: I have a bridge set up on eth0 called br0. This works fine. I then have added two tap devices: tap0 and tap1 to use br0.

For some strange reason in the KVM GUI, only 1 of the tap devices is being recognized as a bridge device. The other one is saying macvtap. I don't understand why this is the case. I don't recall having this issue on another system that I am running this on, but I am having this issue on a ThinkPad.

Below is a screenshot of the GUI showing what I am talking about: Tap0 should be set to the bridge and not macvtap

Why is tap1 getting the "(Bridge 'br0')" label instead of tap0? They both should be recognized as bridges.

I am running this on CentOS 6, and below are the ifcfg files for the taps:

For tap0:

DEVICE="tap0"
TYPE="Tap"
BRIDGE="br0"

and for tap1:

DEVICE="tap1"
TYPE="Tap"
BRIDGE="br0"

In theory, this should be working...

EDIT: Would re-installing CentOS be a good idea? I'm wondering if maybe the host's settings got screwed up somewhere...

EDIT 2: I examined my issues a bit more, and I am still very puzzled as to why only one tap interface is being seen as a bridged interface. Also strange, is that the br0 interface is not showing up in that list. I recall on my other system, it would also list that as well. Just to prove that tap0 and tap1 are in the bridge, here is the output from the brctl show command:

bridge name bridge id               STP enabled     interfaces
br0         8000.001c25990400       no              eth0
                                                    tap0
                                                    tap1

As you can see, eth0, tap0, and tap1 are added to the br0 bridge...so... this should be working....

Phanto
  • 891
  • 5
  • 16
  • 24

1 Answers1

1

If your goal it is to used bridge br0 as switch for your vm's. You can delete tap0 and tap1. In virt-manager choose Specify shared device name and enter br0 int textfield.

There is no need to manualy create tap0 and tap1. Just configure your VM like in the picture below. LibVirt creates vnet devices on the fly for you. http://imgur.com/kBS6J

rhasti
  • 497
  • 3
  • 9
  • The purpose is to have each interface unique so that `ebtables` and `iptables` can perform on-the-fly firewall restrictions to each VM. Thus, I need a way to have each VM specified to a unique bridged interface. That is why I am using the `tap` interfaces. – Phanto Dec 22 '12 at 15:47
  • The problem with relying on the `vnet` interfaces, is that they are not uniquely assigned to a VM. Namely, there is no guarantee that `vnet0` will be assigned to say "vm1". Thus the `tap` interfaces allow be to be specific, and firewall rules can be applied to each specific VM. That is why I need to use `tap` devices. I need go be able to "jail" VMs in the event of a policy violation. – Phanto Dec 22 '12 at 20:00
  • Assuming I share the `br0` interface, would I be able to achieve what I want to achieve by having `iptables`/`ebtables` filter based on the MAC assigned to the VM on the bridge? – Phanto Dec 22 '12 at 20:27
  • 1
    I think so. You can figure out what Interface created by LibVirt with`virsh domiflist vm2` http://libvirt.org/formatdomain.html#elementQoS – rhasti Dec 22 '12 at 20:45
  • I'm going to try to implement this, and if it works, I will mark this as the answer. – Phanto Dec 23 '12 at 16:54
  • I'm still in the setup process, but I am going to go ahead and try basing the firewall restrictions on the MAC address of the VM guest NIC's. Thus, I'm marking this as the answer. – Phanto Dec 25 '12 at 02:19