From patchwork Sat Mar 22 17:03:17 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: 45mg <45mg.writes@gmail.com> X-Patchwork-Id: 40635 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 2AC8527BBE2; Sat, 22 Mar 2025 17:05:24 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-6.6 required=5.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED,DKIM_VALID,FREEMAIL_FROM,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL, RCVD_IN_VALIDITY_SAFE,SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 7A09E27BBE9 for ; Sat, 22 Mar 2025 17:05:23 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tw2HV-0007UL-IT; Sat, 22 Mar 2025 13:05:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tw2HR-0007Tn-FA for guix-patches@gnu.org; Sat, 22 Mar 2025 13:05:05 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tw2HO-0005Uu-Dt; Sat, 22 Mar 2025 13:05:05 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=+Wfhak73go9ABYVHyCeV+xU3z/qXOm364s8ylIDhZ4A=; b=Dkf954+xfB4qoScwk3hY7iOeXh4iEhGyZ+UzuWp9B3GsrLG4siACNPlgDk+LWijGd+/eV03zdUUniXZ0c+zQ6enCkrw+w9JYtRJoM+01Fgma2UaUo25+54ott36ywsl+e+Au4D1Gl7NLlZ4XHJ8FezFbplvgSXWsKEciYomB0k36tKecvcchzFhqbbL7V+TIU0ffjU1Vef37r9BYHs0XshiqZ9NN4b8xRqXeG+nVoxZEPI0qU30bsVOV+MOfm8Nq6LxA8wmoPokk9D5u4/JXb1rOfUYKq2sMis6ZoJxWMo8Euu1UnJ0z+GDD14B8WXm+5aNr2QK/tTs2D3YYYFGoQQ==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tw2HO-0006on-8Z; Sat, 22 Mar 2025 13:05:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#77153] [PATCH v3 3/3] doc: cookbook: Custom NAT-based libvirt networks. Resent-From: 45mg <45mg.writes@gmail.com> Original-Sender: "Debbugs-submit" Resent-CC: ludo@gnu.org, maxim.cournoyer@gmail.com, guix-patches@gnu.org Resent-Date: Sat, 22 Mar 2025 17:05:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 77153 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 77153@debbugs.gnu.org Cc: 45mg <45mg.writes@gmail.com>, Ludovic =?utf-8?q?Court=C3=A8s?= , Maxim Cournoyer X-Debbugs-Original-Xcc: Ludovic =?utf-8?q?Court=C3=A8s?= , Maxim Cournoyer Received: via spool by 77153-submit@debbugs.gnu.org id=B77153.174266305026119 (code B ref 77153); Sat, 22 Mar 2025 17:05:02 +0000 Received: (at 77153) by debbugs.gnu.org; 22 Mar 2025 17:04:10 +0000 Received: from localhost ([127.0.0.1]:45151 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tw2GX-0006nC-MA for submit@debbugs.gnu.org; Sat, 22 Mar 2025 13:04:10 -0400 Received: from mail-pl1-x641.google.com ([2607:f8b0:4864:20::641]:54768) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from <45mg.writes@gmail.com>) id 1tw2GU-0006mK-Ea for 77153@debbugs.gnu.org; Sat, 22 Mar 2025 13:04:07 -0400 Received: by mail-pl1-x641.google.com with SMTP id d9443c01a7336-2241053582dso30339475ad.1 for <77153@debbugs.gnu.org>; Sat, 22 Mar 2025 10:04:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1742663040; x=1743267840; darn=debbugs.gnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=+Wfhak73go9ABYVHyCeV+xU3z/qXOm364s8ylIDhZ4A=; b=nLfw0Iud0sROT3PhgDL3raXvbjOyJ1Nfpt1VU971u50m0aZLoiXXUiJDj1yEphWVmr efI+PzJYHiswjxgxaN0Ps38WzEYLMFDWdGvxcsxeaqyZ/n3hsTZAScsZtc3Zc9lhmsh6 /nVlmI7PVG4Kw8cJcuJGR0nxeDUoMI5YSvfIbpyrc0mmAuU+5e5Kji4d2OMNo35oAI5Z c0zXMQivSbzUGjaMPIln3DFrIjSfGjyIjAgjOfS/2OUdNn7tb0NKw7pUcJMSzr/oR5Ig stKhlPLtS2FoI/oFsXYduUx1JgNDrq80yuihs/RUxPHSyvj4jG0Zq0vZ4iL7lY8/816o 84+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1742663040; x=1743267840; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=+Wfhak73go9ABYVHyCeV+xU3z/qXOm364s8ylIDhZ4A=; b=v/v3G3aqdvLHeozjpDd9553pTz3MYBePVYqiihb2JFIuJyzBQgDgj+8poMcIjMxbXu rHZrU/D/sTVfbCYhyrBWyIcmlp5DTj4IJ+8zOMJ5ciGGs3NWhvd+vYZTer5tY3weAIy2 b8nwIY3JYTG9JWY4JVKtq6blA/aX/0nNZKWV3kWIjYEBfoDSMvCdDcJCItOtHpztUSxM 3Y97N4Fm7cmWyK2wYgmsqH7Xyw5vS9dwzEbGfAPptxDTOjGfTaJAlKCZKR2zQky0jFPb G9DpjwmT13h6xL9I/RrrIYXEN20nWaf5ke5Z6030y0KIUiQ8t2HPMPCj/0rXWFOFI8uN mkBw== X-Gm-Message-State: AOJu0YyLulmnOzLykiahgx+td7F3sFzTmOAd8lSegm4Ze4CAHPZCMyex LBmGUW9AMlkMi3jDOqs/HHroVoh/SiJGZnNEYMKW6fRo5D5Y/BfUjMoqljhr X-Gm-Gg: ASbGncs3ppDGE65Sj8EjUk1pxfbfK4NwEgldouK4daI+j5WqC6qlGDZl4eUHCpGIqIY R4hj0uzJ/dQ8GuUcSIhOgMOpbzeZ/uDMHT798P9kqjhqs9aX2wwgMPW9twGHyXoMyJlmJa12cUt 5W9TEnsZ6Rq82+6Z0XEh/9TeH72emY2lxxdzVmfdd6O4hVwIQMUrKxRK+SH/B7ZOO2HogVMXFC9 FHyshlpwzOY4heiEbaXC5rGynowv06M+dI9pDzum9mfZ6iOvx2v4FSQrKTO95s6NbMh5LG8bkaD SXaVGNFh5i5ssYfyGiTc0bAyeNURiNQzJsk1Y27t3Go0DHKp3QLAZxRTgyHLblBJXsg= X-Google-Smtp-Source: AGHT+IHWdDYTqdsAapv2WeR/Z4SaJhUVpRYKV/9MU6y8LkeZpOUL4+DB3t0ePHfftqJ3uYwfyYOe6Q== X-Received: by 2002:a17:902:d487:b0:224:de2:7fd6 with SMTP id d9443c01a7336-22780da8656mr110203985ad.25.1742663040083; Sat, 22 Mar 2025 10:04:00 -0700 (PDT) Received: from localhost.localdomain (utm3.nitt.edu. [14.139.162.2]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-227811d805bsm37898885ad.159.2025.03.22.10.03.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 22 Mar 2025 10:03:59 -0700 (PDT) From: 45mg <45mg.writes@gmail.com> Date: Sat, 22 Mar 2025 22:33:17 +0530 Message-ID: <7368bad135cc2434f6b94ecd61832f7468afcead.1742661687.git.45mg.writes@gmail.com> X-Mailer: git-send-email 2.49.0 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * doc/guix-cookbook.texi (Virtual Machines): [Custom NAT-based network for libvirt]: New section. [References]: New section. Change-Id: Ice79c5dc8183ec694ac8b846a5ec88cb98cac9ff --- doc/guix-cookbook.texi | 128 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 128 insertions(+) diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi index 9c56790edc..2a49f4b27f 100644 --- a/doc/guix-cookbook.texi +++ b/doc/guix-cookbook.texi @@ -3751,6 +3751,8 @@ Virtual Machines @menu * Network bridge for QEMU:: * Routed network for libvirt:: +* Custom NAT-based network for libvirt:: +* References:: @end menu @node Network bridge for QEMU @@ -3975,6 +3977,132 @@ Routed network for libvirt should work from within your VM; you can e.g.@: run @samp{ping gnu.org} to verify that it functions correctly. +@node Custom NAT-based network for libvirt +@section Custom NAT-based network for libvirt + +As mentioned in the preceding section (@pxref{Routed network for libvirt}), +libvirt allows virtual networks to be defined via XML files and managed +by the @command{virsh} command. The details of the creation and removal +of virtual network switches are handled by libvirt, so the user does not +have to deal with them. + +However, libvirt's handling of virtual network switches can sometimes +clash with more complex networking setups. In particular, the iptables +rules inserted by libvirt for switches operating in the NAT mode can +clash with existing iptables/nftables rules, leading to insecure or +broken packet filtering. + +In such cases, the only solution is to manually set up a virtual network +switch. This section will provide instructions on how to do so using +Guix System services. + +@subsection Creating the virtual network bridge + +The @code{static-networking-service-type} can be used to create a +virtual network bridge and assign an IP address to it: + +@example lisp +(service static-networking-service-type + (list (static-networking + ;; The default provision is 'networking; if you're using any + ;; other service with this provision, such as + ;; `network-manager-service-type`, then you need to change the + ;; default. + (provision '(static-networking)) + (links + (list (network-link + (name "virbr0") + (type 'bridge) + (arguments '())))) + (addresses + (list (network-address + (device "virbr0") + (value "192.168.10.1/24"))))))) +@end example + +@subsection Running dnsmasq for the virtual network bridge + +The @code{dnsmasq-service-type} can be used to provide DNS and DHCP for +guests connected to this virtual network switch: + +@example lisp +(service dnsmasq-service-type + (dnsmasq-configuration + ;; You can have multiple instances of `dnsmasq-service-type` as long + ;; as each one has a different provision. + (provision '(dnsmasq-virbr0)) + (extra-options (list + ;; Only bind to the virtual bridge. This + ;; avoids conflicts with other running + ;; dnsmasq instances. + "--except-interface=lo" + "--interface=virbr0" + "--bind-dynamic" + ;; IPv4 addresses to offer to VMs. This + ;; should match the chosen subnet. + "--dhcp-range=192.168.10.2,192.168.10.254")))) +@end example + +@subsection Configuring NAT for the virtual network switch + +If you intend to use the virtual network switch in NAT mode, you will +need to use nftables (or iptables) rules to set up IP masquerading. The +following example shows how to use @code{nftables-service-type} to do +this: + +@example lisp +(service nftables-service-type + (nftables-configuration + (ruleset + (plain-file "nftables.conf" + "\ +table inet filter @{ + + chain input @{ + type filter hook input priority filter; policy drop; + # Add your existing packet filtering rules here... + iifname virbr0 udp dport 67 counter accept comment \"allow dhcp on virbr0\" + iifname virbr0 meta l4proto @{tcp, udp@} th dport 53 accept \\ + comment \"allow dns on virbr0\" + @} + + chain forward @{ + type filter hook forward priority filter; policy drop; + # Add your existing forwarding rules here... + iifname virbr0 accept comment \"allow outbound traffic from virbr0\" + oifname virbr0 ct state @{established, related @} accept \\ + comment \"allow established traffic to virbr0\" + @} + +@} + +table inet nat @{ + chain postrouting @{ + type nat hook postrouting priority srcnat; policy accept; + # Add your existing nat rules here... + iifname virbr0 ip daddr @{ 224.0.0.0/24, 255.255.255.255/32 @} return \\ + comment \"don't masquerade to reserved address blocks\" + iifname virbr0 oifname != virbr0 masquerade \\ + comment \"masquerade all outgoing traffic from VMs\" + @} +@} +")))) +@end example + +Ensure that you have IPv4 forwarding enabled (you can use +@code{sysctl-service-type} for this). + +@section References + +@itemize +@item +@uref{https://jamielinux.com/docs/libvirt-networking-handbook/index.html, +The (unofficial) libvirt Networking Handbook}@* +Note that this resource is rather outdated at the time of writing (as of +March 2025, it was last updated in 2015). Nevertheless, the authors of +this chapter have found it to be a valuable source of information. +@end itemize + @c ********************************************************************* @node Advanced package management @chapter Advanced package management