From patchwork Fri Mar 21 15:22:00 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: 45mg <45mg.writes@gmail.com> X-Patchwork-Id: 40560 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id CD54A27BBE9; Fri, 21 Mar 2025 15:24:04 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-6.6 required=5.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED,DKIM_VALID,FREEMAIL_FROM,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL, RCVD_IN_VALIDITY_SAFE,SPF_HELO_PASS autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id BB74227BBE2 for ; Fri, 21 Mar 2025 15:24:02 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tveDV-000260-Rx; Fri, 21 Mar 2025 11:23:25 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tveDE-00021j-34 for guix-patches@gnu.org; Fri, 21 Mar 2025 11:23:10 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tveDD-0000bd-Nr; Fri, 21 Mar 2025 11:23:07 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=m86vPvKnmWaIcsldyiBl9NGBpHbOJ/SoiUpwe4xD6A4=; b=N5KfFsxSOjGeyWuR+tEXO6vXFlznS2vtrfQPxxTJUNXIvS8XqTQAPjSHR5Me6Iigpt67ckxi+5R/FQ8eWecoinKtp+XEJqggwCOERbj1Xa9w3ASPxal6/Q6abeU9O60DWjm1O2SThm8bf+gEcCidoTDWzpNJhBeQ1jBGOjCxBv/ByK2aGfdkdbkhLuOcgNIoq4Gx/fKL5Lg6aoadQ2/e3qKrufJiGStFDrjxEjSB6GQZsVOjvTCm5CSRwAHQO7AunxHdpjUl7lPw5hyADxMVfKNGYPMCZ21keWv1Tiqno3N0t/iVXU9QFl6xCu+f/fvYECDQCbpQxDI+4i2U2YFsAw==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tveDD-000464-Fg; Fri, 21 Mar 2025 11:23:07 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#77153] [PATCH 3/3] doc: cookbook: Document manual libvirt networking. Resent-From: 45mg <45mg.writes@gmail.com> Original-Sender: "Debbugs-submit" Resent-CC: ludo@gnu.org, maxim.cournoyer@gmail.com, guix-patches@gnu.org Resent-Date: Fri, 21 Mar 2025 15:23:07 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 77153 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 77153@debbugs.gnu.org Cc: 45mg <45mg.writes@gmail.com>, Ludovic =?utf-8?q?Court=C3=A8s?= , Maxim Cournoyer X-Debbugs-Original-Xcc: Ludovic =?utf-8?q?Court=C3=A8s?= , Maxim Cournoyer Received: via spool by 77153-submit@debbugs.gnu.org id=B77153.174257057515602 (code B ref 77153); Fri, 21 Mar 2025 15:23:07 +0000 Received: (at 77153) by debbugs.gnu.org; 21 Mar 2025 15:22:55 +0000 Received: from localhost ([127.0.0.1]:38805 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tveCy-00043J-SY for submit@debbugs.gnu.org; Fri, 21 Mar 2025 11:22:55 -0400 Received: from mail-pl1-x643.google.com ([2607:f8b0:4864:20::643]:45084) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from <45mg.writes@gmail.com>) id 1tveCs-00041M-CP for 77153@debbugs.gnu.org; Fri, 21 Mar 2025 11:22:49 -0400 Received: by mail-pl1-x643.google.com with SMTP id d9443c01a7336-22423adf751so43352565ad.2 for <77153@debbugs.gnu.org>; Fri, 21 Mar 2025 08:22:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1742570560; x=1743175360; darn=debbugs.gnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=m86vPvKnmWaIcsldyiBl9NGBpHbOJ/SoiUpwe4xD6A4=; b=dq07BABXkBR4uAgANEFVU63eDC6xQjBh3Y01txhewoazmUiNOEb9jdsReyp46RdKDl xR9Bqpc1SSzPXPnTHHGF1Z1x/v05Q50pfVYXTf+5hynXM0jGuUGMRvg1R5KjCEL5ZJxy WSJ0JTKdXqqfGD36tt8b0YULUhlWXVL5V4tYty8pXA4cqELV/8bewZxwQzTjsZKkEs5i qvXeKb64obvxV35NDQ5UuG9SUvefT7ij0kDyb9b5dalShSXvzf6XgKOsx5zzM52SSCag ClR6lrHrFGrnb3/sInDGO06jRxkfwBPXdt83SwwNI9FNj2vJZ+1nzea4c/3+IrkaXUL0 Ojdg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1742570560; x=1743175360; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=m86vPvKnmWaIcsldyiBl9NGBpHbOJ/SoiUpwe4xD6A4=; b=FEqsXbGjTMCbbogmmIzuXi+GfuwmsK78uuhlmzJ4GyChPbubo3ls0QrdkAAs60Zlrw 0+pQX684DCM+3RiXsbFj7BTEL7GzbJDImmEp5wlm7Swgu3HunI+zBjLzWSzgARLxnnWO AU8LukkHBIcoZi/FpJgOqn7+/67KNB4GFJix220ld5J0bEY1Ik1ODcCqAqSdmC1bAjqL MKfdmM4TGYtyAciUgbLyBlsdPSwl836zHw4TU8S7BSdV/Ni4mg3Ar71F7tBJDSyLVHSp ik5Cnu6Rl4CVcNiYUX8S1Rw7F5vVXBAEO+ZtE7cukddXVv7ChgvgEXTJvKx5p1uQV0mJ C8sA== X-Gm-Message-State: AOJu0YxGOeYI8HyLvuxMH08hFy05SQ2z0et3IafpXg2gZnXDm0db5UuR Oft9y1E9s12AdvpEGkowh5vEpB5iIHj1zchHxFor587XmAmOt/iN1C1Y6DCs X-Gm-Gg: ASbGnctzaetFJzumbauH2s/ZK+1k+fgSpPOSSE1mMKb8xFZh3TwhRWoPp+XlUjsIDdq zgu/eVhQeJ7lwgflOepph6P5O/QPlfYmO7EwXClDJEchnmwJryTJWgr4jYgHauDvh8ic+8LPHEA ++mEcl0UxPUD3QpRGVZcsaS+Dk8RMG9dUhUBMCNygMub57dzKycC+9Q7uYEYwQxyZVY3zgDCyzw 9LaBFLCPOekc8qZixkl7x3El71JR5NXbwn5YK9xERL1oSxnAXv/XWoLeOPdPB53F/DMQ9F7mn41 f5X8po3PDILu05rzJqujDN7r8YdNShBsaBkNQumUf4lmGTqANhPOhZkKNKRfRXW6Qdc= X-Google-Smtp-Source: AGHT+IGuY8N+UMPtyu+IeO9ZbxuoL6oiqi2uVrhd+sWBSEocQooO8ZAKW0wDHFbKc5i7bByVB3RJ2Q== X-Received: by 2002:a17:902:ef49:b0:224:24d3:60f4 with SMTP id d9443c01a7336-22780c786c8mr63649885ad.15.1742570559941; Fri, 21 Mar 2025 08:22:39 -0700 (PDT) Received: from localhost.localdomain (utm3.nitt.edu. [14.139.162.2]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-22780f3b493sm18118885ad.34.2025.03.21.08.22.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 21 Mar 2025 08:22:39 -0700 (PDT) From: 45mg <45mg.writes@gmail.com> Date: Fri, 21 Mar 2025 20:52:00 +0530 Message-ID: <60249f55cf80b1dbf41654728939cbc6e6bbcd4e.1742570314.git.45mg.writes@gmail.com> X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * doc/guix-cookbook.texi (Virtual Machines): [Manual libvirt networking]: New section. Change-Id: Ice79c5dc8183ec694ac8b846a5ec88cb98cac9ff --- doc/guix-cookbook.texi | 120 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 120 insertions(+) diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi index 325b1d9c2a..338dba25be 100644 --- a/doc/guix-cookbook.texi +++ b/doc/guix-cookbook.texi @@ -3750,6 +3750,7 @@ Virtual Machines @menu * Network bridge for QEMU:: * Routed network for libvirt:: +* Manual libvirt networking:: @end menu @node Network bridge for QEMU @@ -3974,6 +3975,125 @@ Routed network for libvirt should work from within your VM; you can e.g.@: run @samp{ping gnu.org} to verify that it functions correctly. +@node Manual libvirt networking +@section Manual libvirt networking + +As mentioned in the preceding section (@pxref{Routed network for libvirt}), +libvirt allows virtual networks to be defined via XML files and managed +by the @command{virsh} command. The details of the creation and removal +of virtual network switches are handled by libvirt, so the user does not +have to deal with them. + +However, libvirt's handling of virtual network switches can sometimes +clash with more complex networking setups. In particular, the iptables +rules inserted by libvirt for switches operating in the NAT mode can +clash with existing iptables/nftables rules, leading to insecure or +broken packet filtering. + +In such cases, the only solution is to manually set up a virtual network +switch. This section will provide instructions on how to do so using +Guix System services. + +This section is based on +@url{https://jamielinux.com/docs/libvirt-networking-handbook/custom-nat-based-network.html, +the corresponding section from the (unofficial) libvirt Networking +Handbook}. It should be noted that at the time of writing (March 2025), +this resource had not been updated since 2015, and is therefore somewhat +outdated. In particular, the creation of a `dummy interface' is no +longer necessary. + +@subsection Creating the virtual network bridge + +The @code{static-networking-service-type} can be used to create a +virtual network bridge and assign an IP address to it: + +@example lisp +(service static-networking-service-type + (list (static-networking + ;; The default provision is 'networking; if you're using any + ;; other service with this provision, such as + ;; `network-manager-service-type`, then you need to change the + ;; default + (provision '(static-networking)) + (links + (list (network-link + (name "virbr0") + (type 'bridge) + (arguments '((stp_state . 1)))))) + (addresses + (list (network-address + (device "virbr0") + (value "192.168.10.1/24"))))))) +@end example + +@subsection Running dnsmasq for the virtual network bridge + +The @code{dnsmasq-service-type} can be used to provide DNS and DHCP for +guests connected to this virtual network switch: + +@example lisp +(service dnsmasq-service-type + (dnsmasq-configuration + ;; You can have multiple instances of `dnsmasq-service-type` as long + ;; as each one has a different provision + (provision '(dnsmasq-virbr0)) + (extra-options (list + ;; Only bind to the virtual bridge. This + ;; avoids conflicts with other running + ;; dnsmasq instances. + "--except-interface=lo" + "--interface=virbr0" + "--bind-dynamic" + ;; IPv4 addresses to offer to VMs. This + ;; should match the chosen subnet. + "--dhcp-range=192.168.10.2,192.168.10.254")))) +@end example + +@subsection Configuring NAT for the virtual network switch + +If you intend to use the virtual network switch in NAT mode, you will +need to use nftables (or iptables) rules to set up IP masquerading. The +following example shows how to use @code{nftables-service-type} to do +this: + +@example lisp +(service nftables-service-type + (nftables-configuration + (ruleset + (plain-file "nftables.conf" + "\ +table inet filter @{ + + chain input @{ + type filter hook input priority filter; policy drop; + # Add your existing packet filtering rules here.... + iifname "virbr0" udp dport 67 counter accept comment "allow dhcp on virbr0" + iifname "virbr0" meta l4proto @{tcp, udp@} th dport 53 accept comment "allow dns on virbr0" + @} + + chain forward @{ + type filter hook forward priority filter; policy drop; + # Add your existing forwarding rules here.... + iifname "virbr0" accept comment "allow outbound traffic from virbr0" + oifname "virbr0" ct state @{established, related @} accept comment "allow established traffic to virbr0" + @} + +@} + +table inet nat @{ + chain postrouting @{ + type nat hook postrouting priority srcnat; policy accept; + # Add your existing nat rules here... + iifname "virbr0" ip daddr @{ 224.0.0.0/24, 255.255.255.255/32 @} return comment "don't masquerade to reserved address blocks" + iifname "virbr0" oifname != "virbr0" masquerade comment "masquerade all outgoing traffic from VMs" + @} +@} +")))) +@end example + +Ensure that you have IPv4 forwarding enabled (you can use +@code{sysctl-service-type} for this). + @c ********************************************************************* @node Advanced package management @chapter Advanced package management