So how the host ends up providing connection to the guest?
For the default libvirt network on virbr0, libvirt creates NAT rules that masquerade outbound connections from hosts attached to that bridge. For example, on my system, we see:
# iptables -t nat -S
[...]
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
[...]
As far as I understand, a bridge should connect one interface to another. So what sense makes a bridge with a single interface?
The bridge forms a virtual network for all the virtual machines you create that make use of that libvirt "network". If you boot a second virtual machine, you will see more than one interface on the bridge.
Besides, wireless interfaces are not supposed to be able to be included in a bridge right?
As you will see from the above, the outbound interface does not need to participate in the bridge. The connection between your virtual machines and the outside world is a routed (layer 3) connection, not a layer 2 connection.
why is the bridge needed? What is its role? Wouldn't it be enough then to have tap0?
The bridge creates a virtual layer 2 network for your virtual machines.
- This allows your vms to talk to each other directly.
- It allows broadcast traffic between virtual machines (and the host).
- It allows policies (like firewall rules) to be applied to the virtual network, rather than to individual machines.
- It permits libvirt to attach a DHCP server to the network to service DHCP requests from your virtual machines.
- Etc.
