rootninja

So you want to…

So you want to setup networking so virtual machines will have access to the outside world through your hosts network connection. To do this you’ll need to share your host’s external interface with virtual machines through a bridge.

Overview

A bridge can join two network segments and be used to inspect all Ethernet frames that pass between them. Create a bridge and a tunnel interface. Assign the tunnel and your host’s Ethernet interface to the bridge. Connect the bridge to the outside world. Your host uses the network card in promiscuous mode to handle packets for other interfaces connected to the bridge. Using this method, a virtual machine can use the same physical connection through the tunnel interface connected to a bridge.

Step-by-Step

Create a new bridge
$ sudo brctl addbr bridge0

Create a tap interface for your virtual machine to use.
$ sudo openvpn –mktun –dev tap0

Mon Mar 22 01:51:19 2010 TUN/TAP device tap0 opened
Mon Mar 22 01:51:19 2010 Persist state set to: ON

Add the tap interface to the bridge.
$ sudo brctl addif bridge0 tap0

Add your real external interface to the bridge.
$ sudo brctl addif bridge0 eth0

Make sure the bridge exists and both interfaces are connected to it. Wonderful.
$ sudo brctl show

bridge name	bridge id		STP enabled	interfaces
bridge0		8000.001e4fab6950	no		eth0
							tap0

You should already have a config file for your external interface. Change the config so it does not assign an address or ask for a dhcp lease. That will be handled by the bridge itself. NM_CONTROLLED=no prevents the Network Manager GUI from manipulating the configuration.
$ cat /etc/sysconfig/network-scripts/ifcfg-eth0

# Intel Corporation 82566DM-2 Gigabit Network Connection
DEVICE=eth0
HWADDR=00:1A:2B:3C:4D:5E
ONBOOT=yes
BRIDGE=bridge0
BOOTPROTO=none
TYPE=Ethernet
NM_CONTROLLED=no
USERCTL=no
PEERDNS=yes
IPV6INIT=no

Create a basic config for the tap interface. You just need enough configuration to get it to come up.
$ sudo cat ifcfg-tap0

DEVICE=tap0
ONBOOT=yes
BOOTPROTO=none

Create a config for the bridge. Whatever method you used to get an address on eth0 before you created the bridge, use that here. For example, if you used dhcp before, then your bridge should use dhcp. If you had a static ip address assigned to eth0 before, then assign that ip address to the bridge instead.
$ cat /etc/sysconfig/network-scripts/ifcfg-bridge0

DEVICE=bridge0
ONBOOT=yes
BOOTPROTO=dhcp
TYPE=Bridge
IPV6INIT=no
USERCTL=no

Restart networking and you should have a working configuration at this point. eth0 and tap0 come up but dont get any addressing, then the bridge comes up and gets an address. Wicked.
$ sudo /etc/init.d/network start

Bringing up loopback interface:                            [  OK  ]
Bringing up interface eth0:                                [  OK  ]
Bringing up interface tap0:                                [  OK  ]
Bringing up interface bridge0:
Determining IP information for bridge0... done.
                                                           [  OK  ]

eth0 is connected to the bridge, and will not have its own ip address, but you will see the HWaddr is now the same for eth0 and bridge0. At this point any traffic destined for the tun0 interface will get to eth0 through the bridge. eth0 is now in promiscuous mode.

You’re now ready to connect a virtual machine to tap0. If you’re using qemu, you should be able to specify the network configuration like this:

-net nic,model=pcnet,macaddr=00:55:44:33:22:11 -net tap,script=/etc/qemu-ifup

qemu-ifup needs to bring tap0 up. You can make a qemu-ifdown to bring the interface down too. There are examples of complicated scripts that create the bridge on the fly and bring up the interfaces, but they require you to lose your current network connection for a brief period. I didn’t like this so I run the bridge with eth0 and tap0 connnected all the time.

If you’re behind a firewall such as iptables, you’ll probably need a rule to allow bridged devices to work.
$ sudo iptables -I FORWARD -m physdev –physdev-is-bridged -j ACCEPT
$ sudo /etc/init.d/iptables save
$ sudo /etc/init.d/iptables restart

Problems you might run into

“bridge virbr0 is still up; can’t delete it”
You tried to delete an interface marked UP. Run “ifconfig down”

“virb0: unknown interface: No such device”
No interface exists with that name, typo?

“SIOCSIFFLAGS: Permission denied”
Non root user tried to modify something with ifconfig

“set stp status failed: Operation not permitted”
Non root user tried to modify something with brctl

“Determining IP information for eth0…dhclient(13276) is already running - exiting.”
You forgot to specify BRIDGE=bridge0 in ifcfg-eth0. Other than complaining at startup and network restarts, the network may even work this way in a simple configuration of just bridge0 and eth0.