From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ross Boylan Subject: bridges Date: Thu, 07 May 2009 08:57:03 -0700 Message-ID: <1241711823.5366.47.camel@corn.betterworld.us> Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Cc: ross@biostat.ucsf.edu To: kvm@vger.kernel.org Return-path: Received: from upstrm185.psg-ucsf.org ([38.99.193.74]:62244 "EHLO biostat.ucsf.edu" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1753353AbZEGQUg (ORCPT ); Thu, 7 May 2009 12:20:36 -0400 Sender: kvm-owner@vger.kernel.org List-ID: I'm trying to understand bridging with KVM, but am still puzzled. I think that the recommended bridging with TAP means that packets from the VM will end up going out the host card attached to the default gateway. But it looks to me as if their IP address is unchanged, which means replies will never reach me. Is that correct? Do I need to NAT the packets, or is something already doing that? Some documents indicate that I need to bring the interfaces (e.g., eth0) down before I bring the bridge up, and that afterwards only the bridge will have an IP address. Is that right? Some documents, e.g., http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html, indicate iptables should "just work" with bridging. However, I've seen someone with a 2.6.15 kernel ask about firewalling and be told they needed to patch the kernel to get it work (don't have the reference handy). Should it just work? I'm running a 2.6.29 kernel on Debian Lenny with kvm 72+dfsg-5~lenny1. Version 84+dfsg-2 is available in experimental. Is there much to be gained by going with the more recent version? Please cc me; I'm not on the list. Thanks. Ross Boylan