* guest MAC-address isolation
[not found] <23005102.41431232840956986.JavaMail.root@mail>
@ 2009-01-24 23:56 ` Robert Rebstock
2010-08-06 17:09 ` Robert Rebstock
0 siblings, 1 reply; 6+ messages in thread
From: Robert Rebstock @ 2009-01-24 23:56 UTC (permalink / raw)
To: kvm
Hello kvmers.
I am having network issues that I suspect are related to kvm's
user mode networking; in particular:
I have a server setup with virtualized kvm clients started with
"user mode" networking and RDP port redirection as follows:
7719 ? Sl 454:05 \_ kvm -m 2048 -redir tcp:3394::3389 ...
7731 ? Sl 97:58 \_ kvm -m 2048 -redir tcp:3393::3389 ...
7768 ? Sl 109:23 \_ kvm -m 2048 -redir tcp:3392::3389 ...
7801 ? Sl 43:46 \_ kvm -m 2048 -redir tcp:3391::3389 ...
7823 ? Sl 16:19 \_ kvm -m 2048 -redir tcp:3398::3389 ...
7834 ? Sl 59:38 \_ kvm -m 2048 -redir tcp:3395::3389 ...
which are being accessed by linux rdesktop clients.
Although server and clients are on the same LAN, RDP-traffic is only updated
in correlation to user input, leaving me looking for a way to circumvent this,
so that the users don't have to frantically thrash their mouse to and fro, to
get data on their usb-sticks or watch YouTube. ;-)
All kvm's are using (and must use) the same MAC-address; this shouldn't be a
problem with "-net user", right?
Aside from my specific setup, what I'm really looking for is the best way to
achieve "guest MAC-address isolation".
Is slirpvde worth trying, or maybe tcp-bridge (I suspect that the performance
is not acceptable)?
Any ideas on whether there is a way to achieve "guest MAC address isolation"
with ebtables? I can get "MAC NAT" (sort of) working with:
ebtables -t nat -A PREROUTING -d 00:11:11:11:11:11 -j dnat --to-dest 00:01:23:45:67:89 --dnat-target ACCEPT
ebtables -t nat -A POSTROUTING -s 00:01:23:45:67:89 -j snat --to-src 00:11:11:11:11:11 --snat-arp --snat-target ACCEPT
but I have no idea on how I might be able to achieve "guest MAC address isolation"
with multiple guests needing the same MAC.
My current non "user mode" networking setup looks as such (alittle debian specific):
/etc/network/interfaces:
auto lo
iface lo inet loopback
auto br0
iface br0 inet static
bridge_ports eth0
bridge_maxwait 0
address 192.168.2.200
netmask 255.255.255.0
gateway 192.168.2.1
pre-up modprobe ip_conntrack_tftp
pre-up modprobe ip_conntrack_ftp
pre-up modprobe ip_nat_tftp
pre-up modprobe ip_nat_ftp
auto natbr0
iface natbr0 inet static
bridge_ports dummy
bridge_maxwait 0
address 192.168.99.1
netmask 255.255.255.0
up /usr/sbin/dnsmasq --interface=natbr0 --except-interface=lo --bind-interfaces --user=nobody \
--dhcp-range=natbr0,192.168.99.50,192.168.99.100,255.255.255.0,192.168.99.255,72h \
--domain=example.net --pid-file=/var/run/natbr0_dnsmasq.pid --conf-file
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE
post-up iptables -A FORWARD -s 192.168.99.0/24 -j ACCEPT
post-up iptables -A FORWARD -d 192.168.99.0/24 -j ACCEPT
/etc/kvm/kvm-ifup-br:
#!/bin/sh
BRIDGE=br0
/sbin/ifconfig $1 0.0.0.0 up
/usr/sbin/brctl addif $BRIDGE $1
/etc/kvm/kvm-ifup-natbr:
#!/bin/sh
BRIDGE=natbr0
/sbin/ifconfig $1 0.0.0.0 up
/usr/sbin/brctl addif $BRIDGE $1
I would be most interested in an (guest agnostic) ebtables solution. Any help or insight is much appreciated.
Thank you in advance,
best regards,
Robert
PS. Please BCC me, as I am not on the list.
^ permalink raw reply [flat|nested] 6+ messages in thread
* guest MAC-address isolation
2009-01-24 23:56 ` guest MAC-address isolation Robert Rebstock
@ 2010-08-06 17:09 ` Robert Rebstock
2010-08-17 9:36 ` Avi Kivity
0 siblings, 1 reply; 6+ messages in thread
From: Robert Rebstock @ 2010-08-06 17:09 UTC (permalink / raw)
To: kvm
Hello all,
can anyone recommend a better way to achive (guest agnostic) MAC-address
isolation in qemu/kvm then with user-mode networking?
I have multiple guests requiring the same MAC-address, and user-mode/slirp
networking is quite slow.
best regards,
Robert
PS. Please BCC me, as I am not on the list.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: guest MAC-address isolation
2010-08-06 17:09 ` Robert Rebstock
@ 2010-08-17 9:36 ` Avi Kivity
2010-08-20 17:48 ` Robert Rebstock
0 siblings, 1 reply; 6+ messages in thread
From: Avi Kivity @ 2010-08-17 9:36 UTC (permalink / raw)
To: Robert Rebstock; +Cc: kvm
On 08/06/2010 08:09 PM, Robert Rebstock wrote:
> Hello all,
>
> can anyone recommend a better way to achive (guest agnostic) MAC-address
> isolation in qemu/kvm then with user-mode networking?
>
> I have multiple guests requiring the same MAC-address, and user-mode/slirp
> networking is quite slow.
>
You can put the different guests on different bridges, and use IP
routing to connect the two bridges; or you can use ebtables to mangle
the MAC addresses.
--
error compiling committee.c: too many arguments to function
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: guest MAC-address isolation
2010-08-17 9:36 ` Avi Kivity
@ 2010-08-20 17:48 ` Robert Rebstock
2010-08-25 10:30 ` Avi Kivity
0 siblings, 1 reply; 6+ messages in thread
From: Robert Rebstock @ 2010-08-20 17:48 UTC (permalink / raw)
Cc: kvm
Hello.
Thank you for your answer.
> ----- Original Message -----
> From: "Avi Kivity" <avi@redhat.com>
> To: "Robert Rebstock" <rebstock@scienceworks.com>
> Cc: kvm@vger.kernel.org
> Sent: Tuesday, August 17, 2010 11:36:41 AM
> Subject: Re: guest MAC-address isolation
>
> On 08/06/2010 08:09 PM, Robert Rebstock wrote:
> > Hello all,
> >
> > can anyone recommend a better way to achieve (guest agnostic) MAC-address
> > isolation in qemu/kvm then with user-mode networking?
> >
> > I have multiple guests requiring the same MAC-address, and user-mode/slirp
> > networking is quite slow.
> >
>
> You can put the different guests on different bridges, and use IP
> routing to connect the two bridges; or you can use ebtables to mangle
> the MAC addresses.
>
Could you possibly give me an example? Unfortunately my networking skills are not the best,
which is not to say that I don't try. The best I can do, after reading the
documentation I could find, is:
ebtables -t nat -A PREROUTING -d 00:11:11:11:11:11 -j dnat --to-dest 00:01:23:45:67:89 --dnat-target ACCEPT
ebtables -t nat -A POSTROUTING -s 00:01:23:45:67:89 -j snat --to-src 00:11:11:11:11:11 --snat-arp --snat-target ACCEPT
but I can see no way to mangle multiple identical MACs so as to achieve layer-2
isolation for my snapshotted VMs.
Many thanks,
RR
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: guest MAC-address isolation
2010-08-20 17:48 ` Robert Rebstock
@ 2010-08-25 10:30 ` Avi Kivity
0 siblings, 0 replies; 6+ messages in thread
From: Avi Kivity @ 2010-08-25 10:30 UTC (permalink / raw)
To: Robert Rebstock; +Cc: kvm
On 08/20/2010 08:48 PM, Robert Rebstock wrote:
> Hello.
> Thank you for your answer.
>
>> ----- Original Message -----
>> From: "Avi Kivity"<avi@redhat.com>
>> To: "Robert Rebstock"<rebstock@scienceworks.com>
>> Cc: kvm@vger.kernel.org
>> Sent: Tuesday, August 17, 2010 11:36:41 AM
>> Subject: Re: guest MAC-address isolation
>>
>> On 08/06/2010 08:09 PM, Robert Rebstock wrote:
>>> Hello all,
>>>
>>> can anyone recommend a better way to achieve (guest agnostic) MAC-address
>>> isolation in qemu/kvm then with user-mode networking?
>>>
>>> I have multiple guests requiring the same MAC-address, and user-mode/slirp
>>> networking is quite slow.
>>>
>> You can put the different guests on different bridges, and use IP
>> routing to connect the two bridges; or you can use ebtables to mangle
>> the MAC addresses.
>>
> Could you possibly give me an example? Unfortunately my networking skills are not the best,
> which is not to say that I don't try. The best I can do, after reading the
> documentation I could find, is:
>
> ebtables -t nat -A PREROUTING -d 00:11:11:11:11:11 -j dnat --to-dest 00:01:23:45:67:89 --dnat-target ACCEPT
> ebtables -t nat -A POSTROUTING -s 00:01:23:45:67:89 -j snat --to-src 00:11:11:11:11:11 --snat-arp --snat-target ACCEPT
>
> but I can see no way to mangle multiple identical MACs so as to achieve layer-2
> isolation for my snapshotted VMs.
>
You could use --in-interface to select packets based on which guest they
originated from (for snat).
--
I have a truly marvellous patch that fixes the bug which this
signature is too narrow to contain.
^ permalink raw reply [flat|nested] 6+ messages in thread
* guest MAC-address isolation
@ 2009-01-25 0:39 Robert Rebstock
0 siblings, 0 replies; 6+ messages in thread
From: Robert Rebstock @ 2009-01-25 0:39 UTC (permalink / raw)
To: netfilter
Hello.
I am having network issues that I suspect are related to kvm's
user mode networking; in particular:
I have a server setup with virtualized kvm clients started with
"user mode" networking and RDP port redirection as follows:
7719 ? Sl 454:05 \_ kvm -m 2048 -redir tcp:3394::3389 ...
7731 ? Sl 97:58 \_ kvm -m 2048 -redir tcp:3393::3389 ...
7768 ? Sl 109:23 \_ kvm -m 2048 -redir tcp:3392::3389 ...
7801 ? Sl 43:46 \_ kvm -m 2048 -redir tcp:3391::3389 ...
7823 ? Sl 16:19 \_ kvm -m 2048 -redir tcp:3398::3389 ...
7834 ? Sl 59:38 \_ kvm -m 2048 -redir tcp:3395::3389 ...
which are being accessed by linux rdesktop clients.
Although server and clients are on the same LAN, RDP-traffic is only updated
in correlation to user input, leaving me looking for a way to circumvent this,
so that the users don't have to frantically thrash their mouse to and fro, to
get data on their usb-sticks or watch YouTube. ;-)
All kvm's are using (and must use) the same MAC-address; this shouldn't be a
problem with "-net user", right?
Aside from my specific setup, what I'm really looking for is the best way to
achieve "guest MAC-address isolation".
Is slirpvde worth trying, or maybe tcp-bridge (I suspect that the performance
is not acceptable)?
Any ideas on whether there is a way to achieve "guest MAC address isolation"
with ebtables? I can get "MAC NAT" (sort of) working with:
ebtables -t nat -A PREROUTING -d 00:11:11:11:11:11 -j dnat --to-dest 00:01:23:45:67:89 --dnat-target ACCEPT
ebtables -t nat -A POSTROUTING -s 00:01:23:45:67:89 -j snat --to-src 00:11:11:11:11:11 --snat-arp --snat-target ACCEPT
but I have no idea on how I might be able to achieve "guest MAC address isolation"
with multiple guests needing the same MAC.
My current non "user mode" networking setup looks as such (a little debian specific):
/etc/network/interfaces:
auto lo
iface lo inet loopback
auto br0
iface br0 inet static
bridge_ports eth0
bridge_maxwait 0
address 192.168.2.200
netmask 255.255.255.0
gateway 192.168.2.1
pre-up modprobe ip_conntrack_tftp
pre-up modprobe ip_conntrack_ftp
pre-up modprobe ip_nat_tftp
pre-up modprobe ip_nat_ftp
auto natbr0
iface natbr0 inet static
bridge_ports dummy
bridge_maxwait 0
address 192.168.99.1
netmask 255.255.255.0
up /usr/sbin/dnsmasq --interface=natbr0 --except-interface=lo --bind-interfaces --user=nobody \
--dhcp-range=natbr0,192.168.99.50,192.168.99.100,255.255.255.0,192.168.99.255,72h \
--domain=example.net --pid-file=/var/run/natbr0_dnsmasq.pid --conf-file
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE
post-up iptables -A FORWARD -s 192.168.99.0/24 -j ACCEPT
post-up iptables -A FORWARD -d 192.168.99.0/24 -j ACCEPT
/etc/kvm/kvm-ifup-br:
#!/bin/sh
BRIDGE=br0
/sbin/ifconfig $1 0.0.0.0 up
/usr/sbin/brctl addif $BRIDGE $1
/etc/kvm/kvm-ifup-natbr:
#!/bin/sh
BRIDGE=natbr0
/sbin/ifconfig $1 0.0.0.0 up
/usr/sbin/brctl addif $BRIDGE $1
I would be most interested in an (guest agnostic) ebtables solution. Any help or insight is much appreciated.
Thank you in advance,
best regards,
Robert
PS. Please BCC me, as I am not on the list.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2010-08-25 10:30 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <23005102.41431232840956986.JavaMail.root@mail>
2009-01-24 23:56 ` guest MAC-address isolation Robert Rebstock
2010-08-06 17:09 ` Robert Rebstock
2010-08-17 9:36 ` Avi Kivity
2010-08-20 17:48 ` Robert Rebstock
2010-08-25 10:30 ` Avi Kivity
2009-01-25 0:39 Robert Rebstock
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.