TODO item: guest programmable mac/vlan filtering with macvtap

TODO item: guest programmable mac/vlan filtering with macvtap

[Dragos Tatulea]

Hi,

    I'm starting a  thread related to the TODO item mentioned in the
subject. Currently still gathering info and trying to make kvm &
macvtap play nicely together. I have used this [1] guide to set it up
but qemu is still complaining about the PCI device address of the
virtio-net-pci. Tried with latest qemu. Am I missing something here?

[1] - http://virt.kernelnewbies.org/MacVTap

-- Dragos

[Qemu-devel] TODO item: guest programmable mac/vlan filtering with macvtap

[Dragos Tatulea]

Hi,

    I'm starting a  thread related to the TODO item mentioned in the
subject. Currently still gathering info and trying to make kvm &
macvtap play nicely together. I have used this [1] guide to set it up
but qemu is still complaining about the PCI device address of the
virtio-net-pci. Tried with latest qemu. Am I missing something here?

[1] - http://virt.kernelnewbies.org/MacVTap

-- Dragos

Re: TODO item: guest programmable mac/vlan filtering with macvtap

[Michael S. Tsirkin]

On Thu, Oct 14, 2010 at 11:40:52PM +0200, Dragos Tatulea wrote:
> Hi,
> 
>     I'm starting a  thread related to the TODO item mentioned in the
> subject. Currently still gathering info and trying to make kvm &
> macvtap play nicely together. I have used this [1] guide to set it up
> but qemu is still complaining about the PCI device address of the
> virtio-net-pci. Tried with latest qemu. Am I missing something here?
> 
> [1] - http://virt.kernelnewbies.org/MacVTap
> 
> -- Dragos


It really should be:
 -net nic,model=virtio,netdev=foo -netdev tap,id=foo

Created account but still could not edit
the wiki. Arnd, know why that is? Could you correct qemu
command line pls?

-- 
MST

[Qemu-devel] Re: TODO item: guest programmable mac/vlan filtering with macvtap

[Michael S. Tsirkin]

On Thu, Oct 14, 2010 at 11:40:52PM +0200, Dragos Tatulea wrote:
> Hi,
> 
>     I'm starting a  thread related to the TODO item mentioned in the
> subject. Currently still gathering info and trying to make kvm &
> macvtap play nicely together. I have used this [1] guide to set it up
> but qemu is still complaining about the PCI device address of the
> virtio-net-pci. Tried with latest qemu. Am I missing something here?
> 
> [1] - http://virt.kernelnewbies.org/MacVTap
> 
> -- Dragos


It really should be:
 -net nic,model=virtio,netdev=foo -netdev tap,id=foo

Created account but still could not edit
the wiki. Arnd, know why that is? Could you correct qemu
command line pls?

-- 
MST

Re: TODO item: guest programmable mac/vlan filtering with macvtap

[Arnd Bergmann]

On Friday 15 October 2010, Michael S. Tsirkin wrote:
> On Thu, Oct 14, 2010 at 11:40:52PM +0200, Dragos Tatulea wrote:
> > Hi,
> > 
> >     I'm starting a  thread related to the TODO item mentioned in the
> > subject. Currently still gathering info and trying to make kvm &
> > macvtap play nicely together. I have used this [1] guide to set it up
> > but qemu is still complaining about the PCI device address of the
> > virtio-net-pci. Tried with latest qemu. Am I missing something here?
> > 
> > [1] - http://virt.kernelnewbies.org/MacVTap
> > 
> 
> It really should be:
>  -net nic,model=virtio,netdev=foo -netdev tap,id=foo
> 
> Created account but still could not edit
> the wiki. Arnd, know why that is? Could you correct qemu
> command line pls?

I also have lost write access to the wiki, no idea what happened there.
I started the page, but it subsequently became protected.

We never added support for the qemu command line directly, the
plan was to do that using helper scripts.

The only way to do it is to redirect both input and output
to the tap device, so you ned to do

-net nic,model=virtio,netdev=foo -netdev tap,id=foo,fd=3 <>3

when starting from bash.

	Arnd

[Qemu-devel] Re: TODO item: guest programmable mac/vlan filtering with macvtap

[Arnd Bergmann]

On Friday 15 October 2010, Michael S. Tsirkin wrote:
> On Thu, Oct 14, 2010 at 11:40:52PM +0200, Dragos Tatulea wrote:
> > Hi,
> > 
> >     I'm starting a  thread related to the TODO item mentioned in the
> > subject. Currently still gathering info and trying to make kvm &
> > macvtap play nicely together. I have used this [1] guide to set it up
> > but qemu is still complaining about the PCI device address of the
> > virtio-net-pci. Tried with latest qemu. Am I missing something here?
> > 
> > [1] - http://virt.kernelnewbies.org/MacVTap
> > 
> 
> It really should be:
>  -net nic,model=virtio,netdev=foo -netdev tap,id=foo
> 
> Created account but still could not edit
> the wiki. Arnd, know why that is? Could you correct qemu
> command line pls?

I also have lost write access to the wiki, no idea what happened there.
I started the page, but it subsequently became protected.

We never added support for the qemu command line directly, the
plan was to do that using helper scripts.

The only way to do it is to redirect both input and output
to the tap device, so you ned to do

-net nic,model=virtio,netdev=foo -netdev tap,id=foo,fd=3 <>3

when starting from bash.

	Arnd

Re: TODO item: guest programmable mac/vlan filtering with macvtap

[Dragos Tatulea]

Hi,

>    I'm starting a  thread related to the TODO item mentioned in the
> subject. Currently still gathering info and trying to make kvm &
> macvtap play nicely together. I have used this [1] guide to set it up
> but qemu is still complaining about the PCI device address of the
> virtio-net-pci. Tried with latest qemu. Am I missing something here?
>

Here are the suggestions received so far from Michael Tsirkin (and my
questions):

1. add a secondary mac (or third, etc) address to the guest virtio-net
interface.
    - This implies using a single macvtap interface to handle all the macs
    - How would that appear on the guest? As another interface? As a
virtual interface? This is tap-like behavior :).
    - The macvtap interface on the host shouldn't have a mac or should
ignore it.

2. create a vlan device on the guest virtio-net device

3. set promiscuous mode on guest virtio-net device
    - And that means STRICTLY guest promiscuous, right? You shouldn't
be able to receive frames from other VM's, right?

4. the above stuff must be controllable by host admin
  - Well, for this there are a few options:
    > admin switch that allows the guest user to add macs
    > preconfig allowed MAC's in mactap (or qemu config) for the guest user
    > allow/disallow command for user in qemu (although this doesn't
seem to be supported)

What is the use-case for this project? From what I gather so far, the
guest user will be able to add interfaces/macs without rebooting the
VM. Am I correct? Anything else?

Thanks,
Dragos

[Qemu-devel] Re: TODO item: guest programmable mac/vlan filtering with macvtap

[Dragos Tatulea]

Hi,

>    I'm starting a  thread related to the TODO item mentioned in the
> subject. Currently still gathering info and trying to make kvm &
> macvtap play nicely together. I have used this [1] guide to set it up
> but qemu is still complaining about the PCI device address of the
> virtio-net-pci. Tried with latest qemu. Am I missing something here?
>

Here are the suggestions received so far from Michael Tsirkin (and my
questions):

1. add a secondary mac (or third, etc) address to the guest virtio-net
interface.
    - This implies using a single macvtap interface to handle all the macs
    - How would that appear on the guest? As another interface? As a
virtual interface? This is tap-like behavior :).
    - The macvtap interface on the host shouldn't have a mac or should
ignore it.

2. create a vlan device on the guest virtio-net device

3. set promiscuous mode on guest virtio-net device
    - And that means STRICTLY guest promiscuous, right? You shouldn't
be able to receive frames from other VM's, right?

4. the above stuff must be controllable by host admin
  - Well, for this there are a few options:
    > admin switch that allows the guest user to add macs
    > preconfig allowed MAC's in mactap (or qemu config) for the guest user
    > allow/disallow command for user in qemu (although this doesn't
seem to be supported)

What is the use-case for this project? From what I gather so far, the
guest user will be able to add interfaces/macs without rebooting the
VM. Am I correct? Anything else?

Thanks,
Dragos

Re: TODO item: guest programmable mac/vlan filtering with macvtap

[Dragos Tatulea]

> 1. add a secondary mac (or third, etc) address to the guest virtio-net
> interface.
Maybe I misunderstood this. Is it just setting another mac on the
guest virtio-net interface?

>
> 4. the above stuff must be controllable by host admin
>  - Well, for this there are a few options:
>    > admin switch that allows the guest user to add macs
>    > preconfig allowed MAC's in mactap (or qemu config) for the guest user
>    > allow/disallow command for user in qemu (although this doesn't
> seem to be supported)
>
Well, on a second thought, qemu capabilities should be just fine, right?

-- Dragos

[Qemu-devel] Re: TODO item: guest programmable mac/vlan filtering with macvtap

[Dragos Tatulea]

> 1. add a secondary mac (or third, etc) address to the guest virtio-net
> interface.
Maybe I misunderstood this. Is it just setting another mac on the
guest virtio-net interface?

>
> 4. the above stuff must be controllable by host admin
>  - Well, for this there are a few options:
>    > admin switch that allows the guest user to add macs
>    > preconfig allowed MAC's in mactap (or qemu config) for the guest user
>    > allow/disallow command for user in qemu (although this doesn't
> seem to be supported)
>
Well, on a second thought, qemu capabilities should be just fine, right?

-- Dragos

Re: TODO item: guest programmable mac/vlan filtering with macvtap

[Michael S. Tsirkin]

On Mon, Nov 01, 2010 at 11:48:23AM +0100, Dragos Tatulea wrote:
> > 1. add a secondary mac (or third, etc) address to the guest virtio-net
> > interface.
> Maybe I misunderstood this. Is it just setting another mac on the
> guest virtio-net interface?

Well, yes, that's also not possible at the moment.  Or e.g. set more
than one mac per virtio-net device using macvlan.

> >
> > 4. the above stuff must be controllable by host admin
> >  - Well, for this there are a few options:
> >    > admin switch that allows the guest user to add macs
> >    > preconfig allowed MAC's in mactap (or qemu config) for the guest user
> >    > allow/disallow command for user in qemu (although this doesn't
> > seem to be supported)
> >
> Well, on a second thought, qemu capabilities should be just fine, right?
> 
> -- Dragos

At some level, although I think we also want a way to disable
access that qemu can't override unless it has net admin capability.

-- 
MST

[Qemu-devel] Re: TODO item: guest programmable mac/vlan filtering with macvtap

[Michael S. Tsirkin]

On Mon, Nov 01, 2010 at 11:48:23AM +0100, Dragos Tatulea wrote:
> > 1. add a secondary mac (or third, etc) address to the guest virtio-net
> > interface.
> Maybe I misunderstood this. Is it just setting another mac on the
> guest virtio-net interface?

Well, yes, that's also not possible at the moment.  Or e.g. set more
than one mac per virtio-net device using macvlan.

> >
> > 4. the above stuff must be controllable by host admin
> >  - Well, for this there are a few options:
> >    > admin switch that allows the guest user to add macs
> >    > preconfig allowed MAC's in mactap (or qemu config) for the guest user
> >    > allow/disallow command for user in qemu (although this doesn't
> > seem to be supported)
> >
> Well, on a second thought, qemu capabilities should be just fine, right?
> 
> -- Dragos

At some level, although I think we also want a way to disable
access that qemu can't override unless it has net admin capability.

-- 
MST

Re: TODO item: guest programmable mac/vlan filtering with macvtap

[Dragos Tatulea]

I have created a wiki page for this [1], also added to the networking
todo list [2]. No meaty information yet. But it's enough to start
working on it.

[1] - http://www.linux-kvm.org/page/GuestProgrammableMacVlanFiltering
[2] - http://www.linux-kvm.org/page/NetworkingTodo

-- Dragos

[Qemu-devel] Re: TODO item: guest programmable mac/vlan filtering with macvtap

[Dragos Tatulea]

I have created a wiki page for this [1], also added to the networking
todo list [2]. No meaty information yet. But it's enough to start
working on it.

[1] - http://www.linux-kvm.org/page/GuestProgrammableMacVlanFiltering
[2] - http://www.linux-kvm.org/page/NetworkingTodo

-- Dragos

Re: TODO item: guest programmable mac/vlan filtering with macvtap

[Roopa Prabhu]

Dragos Tatulea <dragos.tatulea <at> gmail.com> writes:

> 
> I have created a wiki page for this [1], also added to the networking
> todo list [2]. No meaty information yet. But it's enough to start
> working on it.
> 
> [1] - http://www.linux-kvm.org/page/GuestProgrammableMacVlanFiltering
> [2] - http://www.linux-kvm.org/page/NetworkingTodo
> 

Hi Dragos,  I wanted to know if there were any updates to this work.
I am interested to try it out and also willing to help with anything possible.

Please let me know,

Thanks,
Roopa