shaba/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-10-30 20:24:58 +03:00
Code Releases Activity
Files
ff16bde100e19fbff17a964c08321f30f87afb22
libvirt/docs/formatnetwork.html.in
Ján Tomko 794235e813 docs: clarify nat range behavior 
All the addresses from the range are used, not just those
that are in use on the host.

https://bugzilla.redhat.com/show_bug.cgi?id=1079917
2015-02-18 15:36:45 +01:00

1240 lines
58 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<body>
<h1>Network XML format</h1>
<ul id="toc">
</ul>
<p>
This page provides an introduction to the network XML format. For background
information on the concepts referred to here, consult the <a href="archnetwork.html">network driver architecture</a>
page.
</p>
<h2><a name="elements">Element and attribute overview</a></h2>
<p>
The root element required for all virtual networks is
named <code>network</code> and has no configurable attributes
(although <span class="since">since 0.10.0</span> there is one
optional read-only attribute - when examining the live
configuration of a network, the
attribute <code>connections</code>, if present, specifies the
number of guest interfaces currently connected via this
network). The network XML format is
available <span class="since">since 0.3.0</span>
</p>
<h3><a name="elementsMetadata">General metadata</a></h3>
<p>
The first elements provide basic metadata about the virtual
network.
</p>
<pre>
&lt;network ipv6='yes' trustGuestRxFilters='no'&gt;
&lt;name&gt;default&lt;/name&gt;
&lt;uuid&gt;3e3fce45-4f53-4fa7-bb32-11f34168b82b&lt;/uuid&gt;
...</pre>
<dl>
<dt><code>name</code></dt>
<dd>The content of the <code>name</code> element provides
a short name for the virtual network. This name should
consist only of alpha-numeric characters and is required
to be unique within the scope of a single host. It is
used to form the filename for storing the persistent
configuration file. <span class="since">Since 0.3.0</span></dd>
<dt><code>uuid</code></dt>
<dd>The content of the <code>uuid</code> element provides
a globally unique identifier for the virtual network.
The format must be RFC 4122 compliant, eg <code>3e3fce45-4f53-4fa7-bb32-11f34168b82b</code>.
If omitted when defining/creating a new network, a random
UUID is generated. <span class="since">Since 0.3.0</span></dd>
<dt><code>ipv6='yes'</code></dt>
<dd>The new, optional parameter <code>ipv6='yes'</code> enables
a network definition with no IPv6 gateway addresses specified
to have guest-to-guest communications. For further information,
see the example below for the example with no gateway addresses.
<span class="since">Since 1.0.1</span></dd>
<dt><code>trustGuestRxFilters='yes'</code></dt>
<dd>The optional parameter <code>trustGuestRxFilters</code> can
be used to set that attribute of the same name for each domain
interface connected to this network (<span class="since">since
1.2.10</span>). See
the <a href="formatdomain.html#elementSNICS">Network
interfaces</a> section of the domain XML documentation for
more details. Note that an explicit setting of this attribute
in a portgroup or the individual domain interface will
override the setting in the network.</dd>
</dl>
<h3><a name="elementsConnect">Connectivity</a></h3>
<p>
The next set of elements control how a virtual network is
provided connectivity to the physical LAN (if at all).
</p>
<pre>
...
&lt;bridge name="virbr0" stp="on" delay="5" macTableManager="libvirt"/&gt;
&lt;domain name="example.com" localOnly="no"/&gt;
&lt;forward mode="nat" dev="eth0"/&gt;
...</pre>
<dl>
<dt><code>bridge</code></dt>
<dd>The <code>name</code> attribute on the <code>bridge</code> element
defines the name of a bridge device which will be used to construct
the virtual network. The virtual machines will be connected to this
bridge device allowing them to talk to each other. The bridge device
may also be connected to the LAN. When defining
a new network with a <code>&lt;forward&gt;</code> mode of
"nat" or "route" (or an isolated network with
no <code>&lt;forward&gt;</code> element), libvirt will
automatically generate a unique name for the bridge device if
none is given, and this name will be permanently stored in the
network configuration so that that the same name will be used
every time the network is started. For these types of networks
(nat, routed, and isolated), a bridge name beginning with the
prefix "virbr" is recommended (and that is what is
auto-generated), but not enforced.
Attribute <code>stp</code> specifies if Spanning Tree Protocol
is 'on' or 'off' (default is
'on'). Attribute <code>delay</code> sets the bridge's forward
delay value in seconds (default is 0).
<span class="since">Since 0.3.0</span>
<p>
The <code>macTableManager</code> attribute of the bridge
element is used to tell libvirt how the bridge's MAC address
table (used to determine the correct egress port for packets
based on destination MAC address) will be managed. In the
default <code>kernel</code> setting, the kernel
automatically adds and removes entries, typically using
learning, flooding, and promiscuous mode on the bridge's
ports in order to determine the proper egress port for
packets. When <code>macTableManager</code> is set
to <code>libvirt</code>, libvirt disables kernel management
of the MAC table (in the case of the Linux host bridge, this
means enabling vlan_filtering on the bridge, and disabling
learning and unicast_filter for all bridge ports), and
explicitly adds/removes entries to the table according to
the MAC addresses in the domain interface configurations.
Allowing libvirt to manage the MAC table can improve
performance - with a Linux host bridge, for example, turning
off learning and unicast_flood on ports has its own
performance advantage, and can also lead to an additional
boost by permitting the kernel to automatically turn off
promiscuous mode on some ports of the bridge (in particular,
the port attaching the bridge to the physical
network). However, it can also cause some networking setups
to stop working (e.g. vlan tagging, multicast,
guest-initiated changes to MAC address) and is not supported
by older kernels.
<span class="since">Since 1.2.11, requires kernel 3.17 or
newer</span>
</p>
</dd>
<dt><code>domain</code></dt>
<dd>
The <code>name</code> attribute on the <code>domain</code>
element defines the DNS domain of the DHCP server. This
element is optional, and is only used for those networks with
a <code>&lt;forward&gt;</code> mode of "nat" or "route" (or an
isolated network with no <code>&lt;forward&gt;</code>
element). <span class="since">Since 0.4.5</span>
<p>
If the optional <code>localOnly</code> attribute on the
<code>domain</code> element is "yes", then DNS requests under
this domain will only be resolved by the virtual network's own
DNS server - they will not be forwarded to the host's upstream
DNS server. If <code>localOnly</code> is "no", and by
default, unresolved requests <b>will</b> be forwarded.
<span class="since">Since 1.2.12</span>
</p>
</dd>
<dt><code>forward</code></dt>
<dd>Inclusion of the <code>forward</code> element indicates that
the virtual network is to be connected to the physical
LAN.<span class="since">Since 0.3.0.</span>
The <code>mode</code> attribute determines the method of
forwarding. If there is no <code>forward</code> element, the
network will be isolated from any other network (unless a
guest connected to that network is acting as a router, of
course). The following are valid settings
for <code>mode</code> (if there is a <code>forward</code>
element but mode is not specified, <code>mode='nat'</code> is
assumed):
<dl>
<dt><code>nat</code></dt>
<dd>
All traffic between guests connected to this network and
the physical network will be forwarded to the physical
network via the host's IP routing stack, after the guest's
IP address is translated to appear as the host machine's
public IP address (a.k.a. Network Address Translation, or
"NAT"). This allows multiple guests, all having access to
the physical network, on a host that is only allowed a
single public IP address. If a network has any IPv6
addresses defined, the IPv6 traffic will be forwarded
using plain routing, since IPv6 has no concept of NAT.
Firewall rules will allow outbound connections to any
other network device whether ethernet, wireless, dialup,
or VPN. If the <code>dev</code> attribute is set, the
firewall rules will restrict forwarding to the named
device only. Inbound connections from other networks are
all prohibited; all connections between guests on the same
network, and to/from the host to the guests, are
unrestricted and not NATed.<span class="since">Since
0.4.2</span>
<p><span class="since">Since 1.0.3</span> it is possible to
specify a public IPv4 address and port range to be used for
the NAT by using the <code>&lt;nat&gt;</code> subelement.
Note that all addresses from the range are used, not just those
that are in use on the host.
The address range is set with the <code>&lt;address&gt;</code>
subelements and <code>start</code> and <code>stop</code>
attributes:
</p>
<pre>
...
&lt;forward mode='nat'&gt;
&lt;nat&gt;
&lt;address start='1.2.3.4' end='1.2.3.10'/&gt;
&lt;/nat&gt;
&lt;/forward&gt;
...</pre>
<p>
A single IPv4 address can be set by setting
<code>start</code> and <code>end</code> attributes to
the same value.
</p>
<p>
The port range to be used for the <code>&lt;nat&gt;</code> can
be set via the subelement <code>&lt;port&gt;</code>:
</p>
<pre>
...
&lt;forward mode='nat'&gt;
&lt;nat&gt;
&lt;port start='500' end='1000'/&gt;
&lt;/nat&gt;
&lt;/forward&gt;
...</pre>
</dd>
<dt><code>route</code></dt>
<dd>
Guest network traffic will be forwarded to the physical
network via the host's IP routing stack, but without
having NAT applied. Again, if the <code>dev</code>
attribute is set, firewall rules will restrict forwarding
to the named device only. This presumes that the local LAN
router has suitable routing table entries to return
traffic to this host. All incoming and outgoing sessions
to guest on these networks are unrestricted. (To restrict
incoming traffic to a guest on a routed network, you can
configure <a href="formatnwfilter.html">nwfilter rules</a>
on the guest's interfaces.)
<span class="since">Since 0.4.2</span>
</dd>
<dt><code>bridge</code></dt>
<dd>
This network describes either 1) an existing host bridge
that was configured outside of libvirt (if
a <code>&lt;bridge name='xyz'/&gt;</code> element has been
specified, <span class="since">Since 0.9.4</span>), 2) an
existing Open vSwitch bridge that was configured outside of
libvirt (if both a <code>&lt;bridge name='xyz'/&gt;</code>
element <b>and</b> a <code>&lt;virtualport
type='openvswitch'/&gt;</code> have been
specified <span class="since">Since 0.10.0</span>) 3) an
interface or group of interfaces to be used for a "direct"
connection via macvtap using macvtap's "bridge" mode (if
the forward element has one or
more <code>&lt;interface&gt;</code>
subelements, <span class="since">Since 0.9.4</span>)
(see <a href="formatdomain.html#elementsNICSDirect">Direct
attachment to physical interface</a> for descriptions of
the various macvtap modes). libvirt doesn't attempt to
manage the bridge interface at all, thus
the <code>&lt;bridge&gt;</code> element's <code>stp</code>
and <code>delay</code> attributes are not allowed; no
iptables rules, IP addresses, or DHCP/DNS services are
added; at the IP level, the guest interface appears to be
directly connected to the physical
interface.<span class="since">Since 0.9.4</span>
</dd>
<dt><code>private</code></dt>
<dd>
This network uses a macvtap "direct" connection in
"private" mode to connect each guest to the network. The
physical interface to be used will be picked from among
those listed in <code>&lt;interface&gt;</code> subelements
of the <code>&lt;forward&gt;</code> element; when using
802.1Qbh mode (as indicated by
the <code>&lt;virtualport&gt;</code> type attribute - note
that this requires an 802.1Qbh-capable hardware switch),
each physical interface can only be in use by a single
guest interface at a time; in modes other than 802.1Qbh,
multiple guest interfaces can share each physical
interface (libvirt will attempt to balance usage between
all available interfaces).<span class="since">Since
0.9.4</span>
</dd>
<dt><code>vepa</code></dt>
<dd>
This network uses a macvtap "direct" connection in "vepa"
mode to connect each guest to the network (this requires
that the physical interfaces used be connected to a
vepa-capable hardware switch. The physical interface to be
used will be picked from among those listed
in <code>&lt;interface&gt;</code> subelements of
the <code>&lt;forward&gt;</code> element; multiple guest
interfaces can share each physical interface (libvirt will
attempt to balance usage between all available
interfaces).<span class="since">Since 0.9.4</span>
</dd>
<dt><code>passthrough</code></dt>
<dd>
This network uses a macvtap "direct" connection in
"passthrough" mode to connect each guest to the network
(note that this is <i>not</i> the same thing as "PCI
passthrough"). The physical interface to be used will be
picked from among those listed
in <code>&lt;interface&gt;</code> subelements of
the <code>&lt;forward&gt;</code> element. Each physical
interface can only be in use by a single guest interface
at a time, so libvirt will keep track of which interfaces
are currently in use, and only assign unused interfaces
(if there are no available physical interfaces when a
domain interface is being attached, an error will be
logged, and the operation causing the attach will fail
(usually either a domain start, or a hotplug interface
attach to a domain).<span class="since">Since 0.9.4</span>
</dd>
<dt><code>hostdev</code></dt>
<dd>
This network facilitates PCI Passthrough of a network
device. A network device is chosen from the interface
pool and directly assigned to the guest using generic
device passthrough, after first optionally setting the
device's MAC address and vlan tag to the configured value,
and optionally associating the device with an 802.1Qbh
capable switch using a <code>&lt;virtualport&gt;</code>
element. Note that - due to limitations in standard
single-port PCI ethernet card driver design - only SR-IOV
(Single Root I/O Virtualization) virtual function (VF)
devices can be assigned in this manner; to assign a
standard single-port PCI or PCIe ethernet card to a guest,
use the traditional <code>&lt;hostdev&gt;</code> device
definition. <span class="since"> Since 0.10.0</span>
<p>
To force use of a particular type of device assignment,
a &lt;forward type='hostdev'&gt; interface can have an
optional <code>driver</code> sub-element with
a <code>name</code> attribute set to either "vfio" (VFIO
is a new method of device assignment that is compatible
with UEFI Secure Boot) or "kvm" (the legacy device
assignment handled directly by the KVM kernel module)
<span class="since">Since 1.0.5 (QEMU and KVM only,
requires kernel 3.6 or newer)</span>. When specified,
device assignment will fail if the requested method of
device assignment isn't available on the host. When not
specified, the default is "vfio" on systems where the
VFIO driver is available and loaded, and "kvm" on older
systems, or those where the VFIO driver hasn't been
loaded <span class="since">Since 1.1.3</span> (prior to
that the default was always "kvm").
</p>
<p>Note that this "intelligent passthrough" of network
devices is very similar to the functionality of a
standard <code>&lt;hostdev&gt;</code> device, the
difference being that this method allows specifying a MAC
address, vlan tag, and <code>&lt;virtualport&gt;</code>
for the passed-through device. If these capabilities are
not required, if you have a standard single-port PCI,
PCIe, or USB network card that doesn't support SR-IOV (and
hence would anyway lose the configured MAC address during
reset after being assigned to the guest domain), or if you
are using a version of libvirt older than 0.10.0, you
should use a standard
<code>&lt;hostdev&gt;</code> device definition in the
domain's configuration to assign the device to the guest
instead of defining an <code>&lt;interface
type='network'&gt;</code> pointing to a network
with <code>&lt;forward mode='hostdev'/&gt;</code>.
</p>
</dd>
</dl>
As mentioned above, a <code>&lt;forward&gt;</code> element can
have multiple <code>&lt;interface&gt;</code> subelements, each
one giving the name of a physical interface that can be used
for this network <span class="since">Since 0.9.4</span>:
<pre>
...
&lt;forward mode='passthrough'&gt;
&lt;interface dev='eth10'/&gt;
&lt;interface dev='eth11'/&gt;
&lt;interface dev='eth12'/&gt;
&lt;interface dev='eth13'/&gt;
&lt;interface dev='eth14'/&gt;
&lt;/forward&gt;
...
</pre>
<p>
<span class="since">since 0.10.0</span>,
<code>&lt;interface&gt;</code> also has an optional read-only
attribute - when examining the live configuration of a
network, the attribute <code>connections</code>, if present,
specifies the number of guest interfaces currently connected
via this physical interface.
</p>
<p>
Additionally, <span class="since">since 0.9.10</span>, libvirt
allows a shorthand for specifying all virtual interfaces
associated with a single physical function, by using
the <code>&lt;pf&gt;</code> subelement to call out the
corresponding physical interface associated with multiple
virtual interfaces:
</p>
<pre>
...
&lt;forward mode='passthrough'&gt;
&lt;pf dev='eth0'/&gt;
&lt;/forward&gt;
...
</pre>
<p>When a guest interface is being constructed, libvirt will pick
an interface from this list to use for the connection. In
modes where physical interfaces can be shared by multiple
guest interfaces, libvirt will choose the interface that
currently has the least number of connections. For those modes
that do not allow sharing of the physical device (in
particular, 'passthrough' mode, and 'private' mode when using
802.1Qbh), libvirt will choose an unused physical interface
or, if it can't find an unused interface, fail the operation.</p>
<p>
<span class="since">since 0.10.0</span> When using forward
mode 'hostdev', the interface pool is specified with a list
of <code>&lt;address&gt;</code> elements, each of which has
<code>&lt;type&gt;</code> (must always be <code>'pci'</code>),
<code>&lt;domain&gt;</code>, <code>&lt;bus&gt;</code>,
<code>&lt;slot&gt;</code>and <code>&lt;function&gt;</code>
attributes.
</p>
<pre>
...
&lt;forward mode='hostdev' managed='yes'&gt;
&lt;driver name='vfio'/&gt;
&lt;address type='pci' domain='0' bus='4' slot='0' function='1'/&gt;
&lt;address type='pci' domain='0' bus='4' slot='0' function='2'/&gt;
&lt;address type='pci' domain='0' bus='4' slot='0' function='3'/&gt;
&lt;/forward&gt;
...
</pre>
Alternatively the interface pool can also be defined using a
single physical function <code>&lt;pf&gt;</code> subelement to
call out the corresponding physical interface associated with
multiple virtual interfaces (similar to passthrough mode):
<pre>
...
&lt;forward mode='hostdev' managed='yes'&gt;
&lt;pf dev='eth0'/&gt;
&lt;/forward&gt;
...
</pre>
</dd>
</dl>
<h5><a name="elementQoS">Quality of service</a></h5>
<pre>
...
&lt;forward mode='nat' dev='eth0'/&gt;
<b>&lt;bandwidth&gt;
&lt;inbound average='1000' peak='5000' burst='5120'/&gt;
&lt;outbound average='128' peak='256' burst='256'/&gt;
&lt;/bandwidth&gt;</b>
...</pre>
<p>
The <code>&lt;bandwidth&gt;</code> element allows setting
quality of service for a particular network
(<span class="since">since 0.9.4</span>). Setting
<code>bandwidth</code> for a network is supported only
for networks with a <code>&lt;forward&gt;</code> mode
of <code>route</code>, <code>nat</code>, or no mode at all
(i.e. an "isolated" network). Setting <code>bandwidth</code>
is <b>not</b> supported for forward modes
of <code>bridge</code>, <code>passthrough</code>, <code>private</code>,
or <code>hostdev</code>. Attempts to do this will lead to
a failure to define the network or to create a transient network.
</p>
<p>
The <code>&lt;bandwidth&gt;</code> element can only be a
subelement of a domain's <code>&lt;interface&gt;</code>, a
subelement of a <code>&lt;network&gt;</code>, or a subelement of
a <code>&lt;portgroup&gt;</code> in a <code>&lt;network&gt;</code>.
</p>
<p>
As a subelement of a domain's <code>&lt;interface&gt;</code>,
the bandwidth only applies to that one interface of the domain.
As a subelement of a <code>&lt;network&gt;</code>, the bandwidth
is a total aggregate bandwidth to/from all guest interfaces attached
to that network, <b>not</b> to each guest interface individually.
If a domain's <code>&lt;interface&gt;</code> has
<code>&lt;bandwidth&gt;</code> element values higher
than the aggregate for the entire network, then the aggregate
bandwidth for the <code>&lt;network&gt;</code> takes precedence.
This is because the two choke points are independent of each other
where the domain's <code>&lt;interface&gt;</code> bandwidth control
is applied on the interface's tap device, while the
<code>&lt;network&gt;</code> bandwidth control is applied on the
interface part of the bridge device created for that network.
</p>
<p>
As a subelement of a
<code>&lt;portgroup&gt;</code> in a <code>&lt;network&gt;</code>,
if a domain's <code>&lt;interface&gt;</code> has a
<code>portgroup</code> attribute in its
<code>&lt;source&gt;</code> element <b>and</b> if the
<code>&lt;interface&gt;</code>
itself has no <code>&lt;bandwidth&gt;</code> element, then the
<code>&lt;bandwidth&gt;</code> element of the portgroup will be
applied individually to each guest interface defined to be a
member of that portgroup. Any <code>&lt;bandwidth&gt;</code>
element in the domain's <code>&lt;interface&gt;</code> definition
will override the setting in the portgroup
(<span class="since">since 1.0.1</span>).
</p>
<p>
Incoming and outgoing traffic can be shaped independently. The
<code>bandwidth</code> element can have at most one
<code>inbound</code> and at most one <code>outbound</code>
child element. Leaving either of these children elements out
results in no QoS applied for that traffic direction. So,
when you want to shape only incoming traffic, use
<code>inbound</code> only, and vice versa. Each of these
elements have one mandatory attribute - <code>average</code> (or
<code>floor</code> as described below). The attributes are as follows,
where accepted values for each attribute is an integer number.
</p>
<dl>
<dt><code>average</code></dt>
<dd>
Specifies the desired average bit rate for the interface
being shaped (in kilobytes/second).
</dd>
<dt><code>peak</code></dt>
<dd>
Optional attribute which specifies the maximum rate at
which the bridge can send data (in kilobytes/second).
Note the limitation of implementation: this attribute in the
<code>outbound</code> element is ignored (as Linux ingress
filters don't know it yet).
</dd>
<dt><code>burst</code></dt>
<dd>
Optional attribute which specifies the amount of kilobytes that
can be transmitted in a single burst at <code>peak</code> speed.
</dd>
<dt><code>floor</code></dt>
<dd>
Optional attribute available only for the <code>inbound</code>
element. This attribute guarantees minimal throughput for
shaped interfaces. This, however, requires that all traffic
goes through one point where QoS decisions can take place, hence
why this attribute works only for virtual networks for now
(that is <code>&lt;interface type='network'/&gt;</code> with a
forward type of route, nat, or no forward at all). Moreover, the
virtual network the interface is connected to is required to have
at least inbound QoS set (<code>average</code> at least). If
using the <code>floor</code> attribute users don't need to specify
<code>average</code>. However, <code>peak</code> and
<code>burst</code> attributes still require <code>average</code>.
Currently, the Linux kernel doesn't allow ingress qdiscs to have
any classes therefore <code>floor</code> can be applied only
on <code>inbound</code> and not <code>outbound</code>.
</dd>
</dl>
<p>
Attributes <code>average</code>, <code>peak</code>, and
<code>burst</code> are available
<span class="since">since 0.9.4</span>, while the
<code>floor</code> attribute is available
<span class="since">since 1.0.1</span>.
</p>
<h5><a name="elementVlanTag">Setting VLAN tag (on supported network types only)</a></h5>
<pre>
&lt;network&gt;
&lt;name&gt;ovs-net&lt;/name&gt;
&lt;forward mode='bridge'/&gt;
&lt;bridge name='ovsbr0'/&gt;
&lt;virtualport type='openvswitch'&gt;
&lt;parameters interfaceid='09b11c53-8b5c-4eeb-8f00-d84eaa0aaa4f'/&gt;
&lt;/virtualport&gt;
<b>&lt;vlan trunk='yes'&gt;</b>
<b>&lt;tag id='42' nativeMode='untagged'/&gt;</b>
<b>&lt;tag id='47'/&gt;</b>
<b>&lt;/vlan&gt;</b>
&lt;portgroup name='dontpanic'&gt;
<b>&lt;vlan&gt;</b>
<b>&lt;tag id='42'/&gt;</b>
<b>&lt;/vlan&gt;</b>
&lt;/portgroup&gt;
&lt;/network&gt;
</pre>
<p>
If (and only if) the network type supports vlan tagging
transparent to the guest, an optional <code>&lt;vlan&gt;</code>
element can specify one or more vlan tags to apply to the
traffic of all guests using this
network <span class="since">Since 0.10.0</span>. (openvswitch
and type='hostdev' SR-IOV networks do support transparent vlan
tagging of guest traffic; everything else, including standard
linux bridges and libvirt's own virtual networks, <b>do not</b>
support it. 802.1Qbh (vn-link) and 802.1Qbg (VEPA) switches
provide their own way (outside of libvirt) to tag guest traffic
onto specific vlans.) As expected, the <code>tag</code>
attribute specifies which vlan tag to use. If a network has more
than one <code>&lt;vlan&gt;</code> element defined, it is
assumed that the user wants to do VLAN trunking using all the
specified tags. In the case that vlan trunking with a single tag
is desired, the optional attribute <code>trunk='yes'</code> can
be added to the vlan element.
</p>
<p>
For network connections using openvswitch it is possible to
configure the 'native-tagged' and 'native-untagged' vlan modes
<span class="since">Since 1.1.0</span>. This uses the optional
<code>nativeMode</code> attribute on the <code>&lt;tag&gt;</code>
element: <code>nativeMode</code> may be set to 'tagged' or
'untagged'. The id attribute of the element sets the native vlan.
</p>
<p>
<code>&lt;vlan&gt;</code> elements can also be specified in
a <code>&lt;portgroup&gt;</code> element, as well as directly in
a domain's <code>&lt;interface&gt;</code> element. In the case
that a vlan tag is specified in multiple locations, the setting
in <code>&lt;interface&gt;</code> takes precedence, followed by
the setting in the <code>&lt;portgroup&gt;</code> selected by
the interface config. The <code>&lt;vlan&gt;</code>
in <code>&lt;network&gt;</code> will be selected only if none is
given in <code>&lt;portgroup&gt;</code>
or <code>&lt;interface&gt;</code>.
</p>
<h5><a name="elementsPortgroup">Portgroups</a></h5>
<pre>
...
&lt;forward mode='private'/&gt;
&lt;interface dev="eth20"/&gt;
&lt;interface dev="eth21"/&gt;
&lt;interface dev="eth22"/&gt;
&lt;interface dev="eth23"/&gt;
&lt;interface dev="eth24"/&gt;
&lt;/forward&gt;
<b>&lt;portgroup name='engineering' default='yes'&gt;
&lt;virtualport type='802.1Qbh'&gt;
&lt;parameters profileid='test'/&gt;
&lt;/virtualport&gt;
&lt;bandwidth&gt;
&lt;inbound average='1000' peak='5000' burst='5120'/&gt;
&lt;outbound average='1000' peak='5000' burst='5120'/&gt;
&lt;/bandwidth&gt;
&lt;/portgroup&gt;</b>
<b>&lt;portgroup name='sales' trustGuestRxFilters='no'&gt;
&lt;virtualport type='802.1Qbh'&gt;
&lt;parameters profileid='salestest'/&gt;
&lt;/virtualport&gt;
&lt;bandwidth&gt;
&lt;inbound average='500' peak='2000' burst='2560'/&gt;
&lt;outbound average='128' peak='256' burst='256'/&gt;
&lt;/bandwidth&gt;
&lt;/portgroup&gt;</b>
...</pre>
<p>
<span class="since">Since 0.9.4</span>
A portgroup provides a method of easily putting guest
connections to the network into different classes, with each
class potentially having a different level/type of service.
<span class="since">Since 0.9.4</span> Each
network can have multiple portgroup elements (and one of those
can optionally be designated as the 'default' portgroup for the
network), and each portgroup has a name, as well as various
attributes and subelements associated with it. The currently supported
subelements are <code>&lt;bandwidth&gt;</code>
(described <a href="formatnetwork.html#elementQoS">here</a>)
and <code>&lt;virtualport&gt;</code>
(documented <a href="formatdomain.html#elementsNICSDirect">here</a>).
If a domain interface definition specifies a portgroup (by
adding a <code>portgroup</code> attribute to
the <code>&lt;source&gt;</code> subelement), that portgroup's
info will be merged into the interface's configuration. If no
portgroup is given in the interface definition, and one of the
network's portgroups has <code>default='yes'</code>, that
default portgroup will be used. If no portgroup is given in the
interface definition, and there is no default portgroup, then
none will be used. Any <code>&lt;bandwidth&gt;</code>
specified directly in the domain XML will take precedence over
any setting in the chosen portgroup. if
a <code>&lt;virtualport&gt;</code> is specified in the portgroup
(and/or directly in the network definition), the multiple
virtualports will be merged, and any parameter that is specified
in more than one virtualport, and is not identical, will be
considered an error, and will prevent the interface from
starting.
</p>
<p>
portgroups also support the optional
parameter <code>trustGuestRxFilters</code> which can be used to
set that attribute of the same name for each domain interface
using this portgroup (<span class="since">since
1.2.10</span>). See
the <a href="formatdomain.html#elementSNICS">Network
interfaces</a> section of the domain XML documentation for more
details. Note that an explicit setting of this attribute in the
portgroup overrides the network-wide setting, and an explicit
setting in the individual domain interface will override the
setting in the portgroup.
</p>
<h5><a name="elementsStaticroute">Static Routes</a></h5>
<p>
Static route definitions are used to provide routing information
to the virtualization host for networks which are not directly
reachable from the virtualization host, but *are* reachable from
a guest domain that is itself reachable from the
host <span class="since">since 1.0.6</span>.
</p>
<p>
As shown in <a href="formatnetwork.html#examplesNoGateway">this
example</a>, it is possible to define a virtual network
interface with no IPv4 or IPv6 addresses. Such networks are
useful to provide host connectivity to networks which are only
reachable via a guest. A guest with connectivity both to the
guest-only network and to another network that is directly
reachable from the host can act as a gateway between the
networks. A static route added to the "host-visible" network
definition provides the routing information so that IP packets
can be sent from the virtualization host to guests on the hidden
network.
</p>
<p>
Here is a fragment of a definition which shows the static
route specification as well as the IPv4 and IPv6 definitions
for network addresses which are referred to in the
<code>gateway</code> gateway address specifications. Note
that the third static route specification includes the
<code>metric</code> attribute specification with a value of 2.
This particular route would *not* be preferred if there was
another existing rout on the system with the same address and
prefix but with a lower value for the metric. If there is a
route in the host system configuration that should be overridden
by a route in a virtual network whenever the virtual network is
running, the configuration for the system-defined route should
be modified to have a higher metric, and the route on the
virtual network given a lower metric (for example, the default
metric of "1").
</p>
<pre>
...
&lt;ip address="192.168.122.1" netmask="255.255.255.0"&gt;
&lt;dhcp&gt;
&lt;range start="192.168.122.128" end="192.168.122.254" /&gt;
&lt;/dhcp&gt;
&lt;/ip&gt;
&lt;route address="192.168.222.0" prefix="24" gateway="192.168.122.2" /&gt;
&lt;ip family="ipv6" address="2001:db8:ca2:2::1" prefix="64" /&gt;
&lt;route family="ipv6" address="2001:db8:ca2:3::" prefix="64" gateway="2001:db8:ca2:2::2"/&gt;
&lt;route family="ipv6" address="2001:db9:4:1::" prefix="64" gateway="2001:db8:ca2:2::3" metric='2'&gt;
&lt;/route&gt;
...
</pre>
<h3><a name="elementsAddress">Addressing</a></h3>
<p>
The final set of elements define the addresses (IPv4 and/or
IPv6, as well as MAC) to be assigned to the bridge device
associated with the virtual network, and optionally enable DHCP
services. These elements are only valid for isolated networks
(no <code>forward</code> element specified), and for those with
a forward mode of 'route' or 'nat'.
</p>
<pre>
...
&lt;mac address='00:16:3E:5D:C7:9E'/&gt;
&lt;domain name="example.com"/&gt;
&lt;dns&gt;
&lt;txt name="example" value="example value" /&gt;
&lt;forwarder addr="8.8.8.8"/&gt;
&lt;forwarder addr="8.8.4.4"/&gt;
&lt;srv service='name' protocol='tcp' domain='test-domain-name' target='.' port='1024' priority='10' weight='10'/&gt;
&lt;host ip='192.168.122.2'&gt;
&lt;hostname&gt;myhost&lt;/hostname&gt;
&lt;hostname&gt;myhostalias&lt;/hostname&gt;
&lt;/host&gt;
&lt;/dns&gt;
&lt;ip address="192.168.122.1" netmask="255.255.255.0"&gt;
&lt;dhcp&gt;
&lt;range start="192.168.122.100" end="192.168.122.254" /&gt;
&lt;host mac="00:16:3e:77:e2:ed" name="foo.example.com" ip="192.168.122.10" /&gt;
&lt;host mac="00:16:3e:3e:a9:1a" name="bar.example.com" ip="192.168.122.11" /&gt;
&lt;/dhcp&gt;
&lt;/ip&gt;
&lt;ip family="ipv6" address="2001:db8:ca2:2::1" prefix="64" /&gt;
&lt;route family="ipv6" address="2001:db9:ca1:1::" prefix="64" gateway="2001:db8:ca2:2::2" /&gt;
&lt;/network&gt;</pre>
<dl>
<dt><code>mac</code></dt>
<dd>The <code>address</code> attribute defines a MAC
(hardware) address formatted as 6 groups of 2-digit
hexadecimal numbers, the groups separated by colons
(eg, <code>"52:54:00:1C:DA:2F"</code>). This MAC address is
assigned to the bridge device when it is created. Generally
it is best to not specify a MAC address when creating a
network - in this case, if a defined MAC address is needed for
proper operation, libvirt will automatically generate a random
MAC address and save it in the config. Allowing libvirt to
generate the MAC address will assure that it is compatible
with the idiosyncrasies of the platform where libvirt is
running. <span class="since">Since 0.8.8</span>
</dd>
<dt><code>dns</code></dt>
<dd> The dns element of a network contains configuration
information for the virtual network's DNS
server <span class="since">Since 0.9.3</span>.
<p>
The dns element
can have an optional <code>forwardPlainNames</code>
attribute <span class="since">Since 1.1.2</span>.
If <code>forwardPlainNames</code> is "no", then DNS resolution
requests for names that are not qualified with a domain
(i.e. names with no "." character) will not be forwarded to
the host's upstream DNS server - they will only be resolved if
they are known locally within the virtual network's own DNS
server. If <code>forwardPlainNames</code> is "yes",
unqualified names <b>will</b> be forwarded to the upstream DNS
server if they can't be resolved by the virtual network's own
DNS server.
</p>
Currently supported sub-elements of <code>&lt;dns&gt;</code> are:
<dl>
<dt><code>forwarder</code></dt>
<dd>A <code>dns</code> element can have 0 or
more <code>forwarder</code> elements. Each forwarder
element defines an IP address to be used as forwarder in
DNS server configuration. The addr attribute is required
and defines the IP address of every
forwarder. <span class="since">Since 1.1.3</span>
</dd>
<dt><code>txt</code></dt>
<dd>A <code>dns</code> element can have 0 or more <code>txt</code> elements.
Each txt element defines a DNS TXT record and has two attributes, both
required: a name that can be queried via dns, and a value that will be
returned when that name is queried. names cannot contain embedded spaces
or commas. value is a single string that can contain multiple values
separated by commas. <span class="since">Since 0.9.3</span>
</dd>
<dt><code>host</code></dt>
<dd>The <code>host</code> element within <code>dns</code> is the
definition of DNS hosts to be passed to the DNS service. The IP
address is identified by the <code>ip</code> attribute and the names
for that IP address are identified in the <code>hostname</code>
sub-elements of the <code>host</code> element.
<span class="since">Since 0.9.3</span>
</dd>
</dl>
<dl>
<dt><code>srv</code></dt>
<dd>The <code>dns</code> element can have also 0 or more <code>srv</code>
record elements. Each <code>srv</code> record element defines a DNS SRV record
and has 2 mandatory and 5 optional attributes. The mandatory attributes
are service name and protocol (tcp, udp) and the optional attributes are
target, port, priority, weight and domain as defined in DNS server SRV
RFC (RFC 2782).
<span class="since">Since 0.9.9</span>
</dd>
</dl>
</dd>
<dt><code>ip</code></dt>
<dd>The <code>address</code> attribute defines an IPv4 address in
dotted-decimal format, or an IPv6 address in standard
colon-separated hexadecimal format, that will be configured on
the bridge
device associated with the virtual network. To the guests this IPv4
address will be their IPv4 default route. For IPv6, the default route is
established via Router Advertisement.
For IPv4 addresses, the <code>netmask</code>
attribute defines the significant bits of the network address,
again specified in dotted-decimal format. For IPv6 addresses,
and as an alternate method for IPv4 addresses, you can specify
the significant bits of the network address with the <code>prefix</code>
attribute, which is an integer (for example, <code>netmask='255.255.255.0'</code>
could also be given as <code>prefix='24'</code>. The <code>family</code>
attribute is used to specify the type of address - 'ipv4' or 'ipv6'; if no
<code>family</code> is given, 'ipv4' is assumed. A network can have more than
one of each family of address defined, but only a single IPv4 address can have a
<code>dhcp</code> or <code>tftp</code> element. <span class="since">Since 0.3.0 </span>
IPv6, multiple addresses on a single network, <code>family</code>, and
<code>prefix</code> are support <span class="since">Since 0.8.7</span>.
Similar to IPv4, one IPv6 address per network can also have
a <code>dhcp</code> definition. <span class="since">Since 1.0.1</span>
<dl>
<dt><code>tftp</code></dt>
<dd>Immediately within
the <code>ip</code> element there is an optional <code>tftp</code>
element. The presence of this element and of its attribute
<code>root</code> enables TFTP services. The attribute specifies
the path to the root directory served via TFTP. <code>tftp</code> is not
supported for IPv6 addresses, and can only be specified on a single IPv4 address
per network.
<span class="since">Since 0.7.1</span>
</dd>
<dt><code>dhcp</code></dt>
<dd>Also within the <code>ip</code> element there is an
optional <code>dhcp</code> element. The presence of this element
enables DHCP services on the virtual network. It will further
contain one or more <code>range</code> elements. The
<code>dhcp</code> element supported for both
IPv4 <span class="since">Since 0.3.0</span>
and IPv6 <span class="since">Since 1.0.1</span>, but
only for one IP address of each type per network.
<dl>
<dt><code>range</code></dt>
<dd>The <code>start</code> and <code>end</code> attributes on the
<code>range</code> element specify the boundaries of a pool of
addresses to be provided to DHCP clients. These two addresses
must lie within the scope of the network defined on the parent
<code>ip</code> element. There may be zero or more
<code>range</code> elements specified.
<span class="since">Since 0.3.0</span>
<code>range</code> can be specified for one IPv4 address,
one IPv6 address, or both. <span class="since">Since 1.0.1</span>
</dd>
<dt><code>host</code></dt>
<dd>Within the <code>dhcp</code> element there may be zero or more
<code>host</code> elements. These specify hosts which will be given
names and predefined IP addresses by the built-in DHCP server. Any
IPv4 <code>host</code> element must specify the MAC address of the host to be assigned
a given name (via the <code>mac</code> attribute), the IP to be
assigned to that host (via the <code>ip</code> attribute), and the
name to be given that host by the DHCP server (via the
<code>name</code> attribute). <span class="since">Since 0.4.5</span>
An IPv6 <code>host</code> element differs slightly from that for IPv4:
there is no <code>mac</code> attribute since a MAC address has no
defined meaning in IPv6. Instead, the <code>name</code> attribute is
used to identify the host to be assigned the IPv6 address. For DHCPv6,
the name is the plain name of the client host sent by the
client to the server. Note that this method of assigning a
specific IP address can also be used instead of the <code>mac</code>
attribute for IPv4. <span class="since">Since 1.0.1</span>
</dd>
<dt><code>bootp</code></dt>
<dd>The optional <code>bootp</code>
element specifies BOOTP options to be provided by the DHCP
server for IPv4 only.
Two attributes are supported: <code>file</code> is mandatory and
gives the file to be used for the boot image; <code>server</code> is
optional and gives the address of the TFTP server from which the boot
image will be fetched. <code>server</code> defaults to the same host
that runs the DHCP server, as is the case when the <code>tftp</code>
element is used. The BOOTP options currently have to be the same
for all address ranges and statically assigned addresses.<span
class="since">Since 0.7.1 (<code>server</code> since 0.7.3).</span>
</dd>
</dl>
</dd>
</dl>
</dd>
</dl>
<h2><a name="examples">Example configuration</a></h2>
<h3><a name="examplesNAT">NAT based network</a></h3>
<p>
This example is the so called "default" virtual network. It is
provided and enabled out-of-the-box for all libvirt installations.
This is a configuration that allows guest OS to get outbound
connectivity regardless of whether the host uses ethernet, wireless,
dialup, or VPN networking without requiring any specific admin
configuration. In the absence of host networking, it at least allows
guests to talk directly to each other.
</p>
<pre>
&lt;network&gt;
&lt;name&gt;default&lt;/name&gt;
&lt;bridge name="virbr0" /&gt;
&lt;forward mode="nat"/&gt;
&lt;ip address="192.168.122.1" netmask="255.255.255.0"&gt;
&lt;dhcp&gt;
&lt;range start="192.168.122.2" end="192.168.122.254" /&gt;
&lt;/dhcp&gt;
&lt;/ip&gt;
&lt;ip family="ipv6" address="2001:db8:ca2:2::1" prefix="64" /&gt;
&lt;/network&gt;</pre>
<p>
Below is a variation of the above example which adds an IPv6
dhcp range definition.
</p>
<pre>
&lt;network&gt;
&lt;name&gt;default6&lt;/name&gt;
&lt;bridge name="virbr0" /&gt;
&lt;forward mode="nat"/&gt;
&lt;ip address="192.168.122.1" netmask="255.255.255.0"&gt;
&lt;dhcp&gt;
&lt;range start="192.168.122.2" end="192.168.122.254" /&gt;
&lt;/dhcp&gt;
&lt;/ip&gt;
&lt;ip family="ipv6" address="2001:db8:ca2:2::1" prefix="64" &gt;
&lt;dhcp&gt;
&lt;range start="2001:db8:ca2:2:1::10" end="2001:db8:ca2:2:1::ff" /&gt;
&lt;/dhcp&gt;
&lt;/ip&gt;
&lt;/network&gt;</pre>
<h3><a name="examplesRoute">Routed network config</a></h3>
<p>
This is a variant on the default network which routes traffic
from the virtual network to the LAN without applying any NAT.
It requires that the IP address range be pre-configured in the
routing tables of the router on the host network. This example
further specifies that guest traffic may only go out via the
<code>eth1</code> host network device.
</p>
<pre>
&lt;network&gt;
&lt;name&gt;local&lt;/name&gt;
&lt;bridge name="virbr1" /&gt;
&lt;forward mode="route" dev="eth1"/&gt;
&lt;ip address="192.168.122.1" netmask="255.255.255.0"&gt;
&lt;dhcp&gt;
&lt;range start="192.168.122.2" end="192.168.122.254" /&gt;
&lt;/dhcp&gt;
&lt;/ip&gt;
&lt;ip family="ipv6" address="2001:db8:ca2:2::1" prefix="64" /&gt;
&lt;/network&gt;</pre>
<p>
Below is another IPv6 variation. Instead of a dhcp range being
specified, this example has a couple of IPv6 host definitions.
Note that most of the dhcp host definitions use an "id" (client
id or DUID) since this has proven to be a more reliable way
of specifying the interface and its association with an IPv6
address. The first is a DUID-LLT, the second a DUID-LL, and
the third a DUID-UUID. <span class="since">Since 1.0.3</span>
</p>
<pre>
&lt;network&gt;
&lt;name&gt;local6&lt;/name&gt;
&lt;bridge name="virbr1" /&gt;
&lt;forward mode="route" dev="eth1"/&gt;
&lt;ip address="192.168.122.1" netmask="255.255.255.0"&gt;
&lt;dhcp&gt;
&lt;range start="192.168.122.2" end="192.168.122.254" /&gt;
&lt;/dhcp&gt;
&lt;/ip&gt;
&lt;ip family="ipv6" address="2001:db8:ca2:2::1" prefix="64" &gt;
&lt;dhcp&gt;
&lt;host name="paul" ip="2001:db8:ca2:2:3::1" /&gt;
&lt;host id="0:1:0:1:18:aa:62:fe:0:16:3e:44:55:66" ip="2001:db8:ca2:2:3::2" /&gt;
&lt;host id="0:3:0:1:0:16:3e:11:22:33" name="ralph" ip="2001:db8:ca2:2:3::3" /&gt;
&lt;host id="0:4:7e:7d:f0:7d:a8:bc:c5:d2:13:32:11:ed:16:ea:84:63" name="badbob" ip="2001:db8:ca2:2:3::4" /&gt;
&lt;/dhcp&gt;
&lt;/ip&gt;
&lt;/network&gt;</pre>
<p>
Below is yet another IPv6 variation. This variation has only
IPv6 defined with DHCPv6 on the primary IPv6 network. A static
link if defined for a second IPv6 network which will not be
directly visible on the bridge interface but there will be a
static route defined for this network via the specified
gateway. Note that the gateway address must be directly
reachable via (on the same subnet as) one of the &lt;ip&gt;
addresses defined for this &lt;network&gt;.
<span class="since">Since 1.0.6</span>
</p>
<pre>
&lt;network&gt;
&lt;name&gt;net7&lt;/name&gt;
&lt;bridge name="virbr7" /&gt;
&lt;forward mode="route"/&gt;
&lt;ip family="ipv6" address="2001:db8:ca2:7::1" prefix="64" &gt;
&lt;dhcp&gt;
&lt;range start="2001:db8:ca2:7::100" end="2001:db8:ca2::1ff" /&gt;
&lt;host id="0:4:7e:7d:f0:7d:a8:bc:c5:d2:13:32:11:ed:16:ea:84:63" name="lucas" ip="2001:db8:ca2:2:3::4" /&gt;
&lt;/dhcp&gt;
&lt;/ip&gt;
&lt;route family="ipv6" address="2001:db8:ca2:8::" prefix="64" gateway="2001:db8:ca2:7::4" &gt;
&lt;/route&gt;
&lt;/network&gt;</pre>
<h3><a name="examplesPrivate">Isolated network config</a></h3>
<p>
This variant provides a completely isolated private network
for guests. The guests can talk to each other, and the host
OS, but cannot reach any other machines on the LAN, due to
the omission of the <code>forward</code> element in the XML
description.
</p>
<pre>
&lt;network&gt;
&lt;name&gt;private&lt;/name&gt;
&lt;bridge name="virbr2" /&gt;
&lt;ip address="192.168.152.1" netmask="255.255.255.0"&gt;
&lt;dhcp&gt;
&lt;range start="192.168.152.2" end="192.168.152.254" /&gt;
&lt;/dhcp&gt;
&lt;/ip&gt;
&lt;ip family="ipv6" address="2001:db8:ca2:3::1" prefix="64" /&gt;
&lt;/network&gt;</pre>
<h3><a name="examplesPrivate6">Isolated IPv6 network config</a></h3>
<p>
This variation of an isolated network defines only IPv6.
Note that most of the dhcp host definitions use an "id" (client
id or DUID) since this has proven to be a more reliable way
of specifying the interface and its association with an IPv6
address. The first is a DUID-LLT, the second a DUID-LL, and
the third a DUID-UUID. <span class="since">Since 1.0.3</span>
</p>
<pre>
&lt;network&gt;
&lt;name&gt;sixnet&lt;/name&gt;
&lt;bridge name="virbr6" /&gt;
&lt;ip family="ipv6" address="2001:db8:ca2:6::1" prefix="64" &gt;
&lt;dhcp&gt;
&lt;host name="peter" ip="2001:db8:ca2:6:6::1" /&gt;
&lt;host id="0:1:0:1:18:aa:62:fe:0:16:3e:44:55:66" ip="2001:db8:ca2:6:6::2" /&gt;
&lt;host id="0:3:0:1:0:16:3e:11:22:33" name="dariusz" ip="2001:db8:ca2:6:6::3" /&gt;
&lt;host id="0:4:7e:7d:f0:7d:a8:bc:c5:d2:13:32:11:ed:16:ea:84:63" name="anita" ip="2001:db8:ca2:6:6::4" /&gt;
&lt;/dhcp&gt;
&lt;/ip&gt;
&lt;/network&gt;</pre>
<h3><a name="examplesBridge">Using an existing host bridge</a></h3>
<p>
<span class="since">Since 0.9.4</span>
This shows how to use a pre-existing host bridge "br0". The
guests will effectively be directly connected to the physical
network (i.e. their IP addresses will all be on the subnet of
the physical network, and there will be no restrictions on
inbound or outbound connections).
</p>
<pre>
&lt;network&gt;
&lt;name&gt;host-bridge&lt;/name&gt;
&lt;forward mode="bridge"/&gt;
&lt;bridge name="br0"/&gt;
&lt;/network&gt;</pre>
<h3><a name="examplesDirect">Using a macvtap "direct" connection</a></h3>
<p>
<span class="since">Since 0.9.4, QEMU and KVM only, requires
Linux kernel 2.6.34 or newer</span>
This shows how to use macvtap to connect to the physical network
directly through one of a group of physical devices (without
using a host bridge device). As with the host bridge network,
the guests will effectively be directly connected to the
physical network so their IP addresses will all be on the subnet
of the physical network, and there will be no restrictions on
inbound or outbound connections. Note that, due to a limitation
in the implementation of macvtap, these connections do not allow
communication directly between the host and the guests - if you
require this you will either need the attached physical switch
to be operating in a mirroring mode (so that all traffic coming
to the switch is reflected back to the host's interface), or
provide alternate means for this communication (e.g. a second
interface on each guest that is connected to an isolated
network). The other forward modes that use macvtap (private,
vepa, and passthrough) would be used in a similar fashion.
</p>
<pre>
&lt;network&gt;
&lt;name&gt;direct-macvtap&lt;/name&gt;
&lt;forward mode="bridge"&gt;
&lt;interface dev="eth20"/&gt;
&lt;interface dev="eth21"/&gt;
&lt;interface dev="eth22"/&gt;
&lt;interface dev="eth23"/&gt;
&lt;interface dev="eth24"/&gt;
&lt;/forward&gt;
&lt;/network&gt;</pre>
<h3><a name="examplesNoGateway">Network config with no gateway addresses</a></h3>
<p>
A valid network definition can contain no IPv4 or IPv6 addresses. Such a definition
can be used for a "very private" or "very isolated" network since it will not be
possible to communicate with the virtualization host via this network. However,
this virtual network interface can be used for communication between virtual guest
systems. This works for IPv4 and <span class="since">(Since 1.0.1)</span> IPv6.
However, the new ipv6='yes' must be added for guest-to-guest IPv6
communication.
</p>
<pre>
&lt;network ipv6='yes'&gt;
&lt;name&gt;nogw&lt;/name&gt;
&lt;uuid&gt;7a3b7497-1ec7-8aef-6d5c-38dff9109e93&lt;/uuid&gt;
&lt;bridge name="virbr2" stp="on" delay="0" /&gt;
&lt;mac address='00:16:3E:5D:C7:9E'/&gt;
&lt;/network&gt;</pre>
</body>
</html>
View Git Blame Copy Permalink