TUN is for IP tunneling. TAP is for Ethernet tunneling. Check out vtun if you’re looking to get networking working in qemu or kvm for virtual tunnels over tcp/ip networks with traffic shaping, compression, and encryption. vtun also supports serial and pipe tunnels.

So you want to setup networking so virtual machines will have access to the outside world through your hosts network connection. To do this you’ll need to share your host’s external interface with virtual machines through a bridge. A bridge can join two network segments and be used to inspect all Ethernet frames that pass between them. Create a bridge and a tunnel interface. Assign the tunnel and your host’s Ethernet interface to the bridge. Connect the bridge to the outside world. Your host uses the network card in promiscuous mode to handle packets for other interfaces connected to the bridge.

Which is better? Which is faster? For a desktop system, I don’t think it really matters if you have to process a bunch of rules. How many can there be, and how much network traffic are you seeing anyway? It’s probably more efficient to modify your sysctl.conf, but it seems more organized to do it all with iptables.