From patchwork Sat Mar 22 13:00:13 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: 45mg <45mg.writes@gmail.com> X-Patchwork-Id: 40603 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 5D2FA27BBEA; Sat, 22 Mar 2025 13:01:39 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-6.6 required=5.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED,DKIM_VALID,FREEMAIL_FROM,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL, RCVD_IN_VALIDITY_SAFE,SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id A13E527BBE2 for ; Sat, 22 Mar 2025 13:01:38 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tvyTV-0007RV-UR; Sat, 22 Mar 2025 09:01:17 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tvyTI-0007OK-5S for guix-patches@gnu.org; Sat, 22 Mar 2025 09:01:11 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tvyTH-0008D7-SY; Sat, 22 Mar 2025 09:01:03 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=zHgwMhXLpC+9StWtu4lOuaL9tNt18qu3LAU+Uu2nyR0=; b=DX2OGx3X5yKdXbLZgb36NDCqY/tDF4U7LmKLTnCnRSAy8jGbkD/bfWcxDteerjLmPmMrijp8MO8O/nS81QwWYwWLedOFbpyDgkWMO3dCj6GmxQgRmr4TcNCH3ZE3MYVk/6ssf6PwBiTp3qcVJvfAIDxH1aUQl/RwzlFL2GHC09EDyoMdZdE1bb18dO2afWNcD94+/mqp8Hj/sb5ZGtyqy4t7SyvCy2j9GiV/Age3Z3YUMyNBggFZht0TzsiA+6zYGZ2ME2qfLDCAP714iki3/JAMCed7QmHaJWGxoVRbx5m1vrIVP26ZYovoiFz3J1pb2l8sZ+7pPhER6iHDAFEO+w==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tvyTH-00048Y-MJ; Sat, 22 Mar 2025 09:01:03 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#77153] [PATCH v2 3/3] doc: cookbook: Custom NAT-based libvirt networks. Resent-From: 45mg <45mg.writes@gmail.com> Original-Sender: "Debbugs-submit" Resent-CC: ludo@gnu.org, maxim.cournoyer@gmail.com, guix-patches@gnu.org Resent-Date: Sat, 22 Mar 2025 13:01:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 77153 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 77153@debbugs.gnu.org Cc: 45mg <45mg.writes@gmail.com>, Ludovic =?utf-8?q?Court=C3=A8s?= , Maxim Cournoyer X-Debbugs-Original-Xcc: Ludovic =?utf-8?q?Court=C3=A8s?= , Maxim Cournoyer Received: via spool by 77153-submit@debbugs.gnu.org id=B77153.174264844915852 (code B ref 77153); Sat, 22 Mar 2025 13:01:03 +0000 Received: (at 77153) by debbugs.gnu.org; 22 Mar 2025 13:00:49 +0000 Received: from localhost ([127.0.0.1]:41491 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tvyT2-00047b-3A for submit@debbugs.gnu.org; Sat, 22 Mar 2025 09:00:49 -0400 Received: from mail-pl1-x641.google.com ([2607:f8b0:4864:20::641]:47171) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from <45mg.writes@gmail.com>) id 1tvySp-00046o-PH for 77153@debbugs.gnu.org; Sat, 22 Mar 2025 09:00:36 -0400 Received: by mail-pl1-x641.google.com with SMTP id d9443c01a7336-22401f4d35aso62120955ad.2 for <77153@debbugs.gnu.org>; Sat, 22 Mar 2025 06:00:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1742648429; x=1743253229; darn=debbugs.gnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=zHgwMhXLpC+9StWtu4lOuaL9tNt18qu3LAU+Uu2nyR0=; b=nZ5IB8IVFnid9RkXf/T1N+BWFB2NdBj0iR81zTKX5Jp9zKy7YUl2/SL0iWbR5HYJS4 bOPM+/ljrxagRF8amHjFpYbDGC+wGci8CDhRP4Qryp67QPV/TbFOux9YC9wodq0+S8NU 5iKoXnNJjdc+fuKcQPcBxxipGXd4SqCrht5Qog5q/izXoqRoiV0d6l8HNRRCnmvVdtPA BTmVOUOmSx0MZS/IqtO1i/jLerEwsBVPw2VeIvOdHXqBtejIiAGjcZt7OPd9lq47BkwT JfukbEGAEi0OMWev9+LaH9WlgswyCjUpjVIC04PgY5x+iB0LTAZx8wknHi2sQxR0clLb QXFA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1742648429; x=1743253229; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=zHgwMhXLpC+9StWtu4lOuaL9tNt18qu3LAU+Uu2nyR0=; b=divMGF/fSGwLUzePo+IbPG/HEs4YWWAQVD2Wng/Lf4bS/gvWdLGQG0R9GPN1WnKfE6 rJHs9FPXqGutaZcRK6u0fz9E30VL1j+wGPfWLf1otqqheb48i+oPU7h7xk2EbFhKGzyG PBVOgZNYwXhTAdpZdas5h7aFUkLVNJ/jIKsMvYztRYOci5jkM/x2VeDutFNdYskthNPb nngHolpXs63K9jElxBzOXF/TWAfpK49TO1DmLP09E5gdjUfMxs75LQQAUdBBQPGCeqT3 HZXY7qIkeUHTf30BsC/XvU3sUSsI2H/rS/F9Vdq9myp/eFiCAwkXzv3gBaS+1oFvsiNz Hnzw== X-Gm-Message-State: AOJu0YzbFyF3xYEvQWklOMQS/mVv4Lf2dVzM5gHQbhzy94JFi8sUJbDf 7HQ3AL5F8L6u8ERvPYfBlcHxalox7LDUf5hVF3vYZfv/kaKKf+HeSCRq15y1 X-Gm-Gg: ASbGncvEIxVphDCtKPt3NaYBbvZXyHRF9JAORmgMLbP4m3xd0251eTPNWxOCi0CQfKx yEmfIkHF3WftEQZbBuFr4haSgqJqVUZciE4jB9zCooKiZl70Ws/IFRaDWlO9MOm/KXW2BO3kKxC 20FCyXXoMXz0ZmsQEdDw9oo2PSngZmntoMLXT6Kq1oZ86ufTjgxSgbIixcaDMj7/6qrzPX4HRLI Y8a00d648rtj71M6RKPpndNswOgItkBVHQJVQ29IeFYs+XadBT/etZLxo++n5Rah9HhYmHnpVoE bUGD/IKZEiXdOJkU8YiWYhR+T9Dsm2ZievPn5rZzbB3xXaGrXAoI8VuvTyOlUf2ViMI= X-Google-Smtp-Source: AGHT+IEh/8Unxqlis9sNjsHF87tseWpaQwp5o4WxoSAysiO8/b25rtV6k4hYz0NsWCXl1S6qrTJp0g== X-Received: by 2002:a05:6a00:1953:b0:736:5486:781d with SMTP id d2e1a72fcca58-73905a27720mr10764369b3a.19.1742648429313; Sat, 22 Mar 2025 06:00:29 -0700 (PDT) Received: from localhost.localdomain (utm3.nitt.edu. [14.139.162.2]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-73905fd5747sm4074838b3a.55.2025.03.22.06.00.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 22 Mar 2025 06:00:29 -0700 (PDT) From: 45mg <45mg.writes@gmail.com> Date: Sat, 22 Mar 2025 18:30:13 +0530 Message-ID: X-Mailer: git-send-email 2.48.1 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * doc/guix-cookbook.texi (Virtual Machines): [Custom NAT-based network for libvirt]: New section. Change-Id: Ice79c5dc8183ec694ac8b846a5ec88cb98cac9ff --- doc/guix-cookbook.texi | 124 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 124 insertions(+) diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi index 9c56790edc..68cd05e6f2 100644 --- a/doc/guix-cookbook.texi +++ b/doc/guix-cookbook.texi @@ -3751,6 +3751,7 @@ Virtual Machines @menu * Network bridge for QEMU:: * Routed network for libvirt:: +* Custom NAT-based network for libvirt:: @end menu @node Network bridge for QEMU @@ -3975,6 +3976,129 @@ Routed network for libvirt should work from within your VM; you can e.g.@: run @samp{ping gnu.org} to verify that it functions correctly. +@node Custom NAT-based network for libvirt +@section Custom NAT-based network for libvirt + +As mentioned in the preceding section (@pxref{Routed network for libvirt}), +libvirt allows virtual networks to be defined via XML files and managed +by the @command{virsh} command. The details of the creation and removal +of virtual network switches are handled by libvirt, so the user does not +have to deal with them. + +However, libvirt's handling of virtual network switches can sometimes +clash with more complex networking setups. In particular, the iptables +rules inserted by libvirt for switches operating in the NAT mode can +clash with existing iptables/nftables rules, leading to insecure or +broken packet filtering. + +In such cases, the only solution is to manually set up a virtual network +switch. This section will provide instructions on how to do so using +Guix System services. + +This section is based on +@url{https://jamielinux.com/docs/libvirt-networking-handbook/custom-nat-based-network.html, +the corresponding section from the (unofficial) libvirt Networking +Handbook}. It should be noted that at the time of writing (March 2025), +this resource had not been updated since 2015, and is therefore somewhat +outdated. In particular, the creation of a `dummy interface' is no +longer necessary. + +@subsection Creating the virtual network bridge + +The @code{static-networking-service-type} can be used to create a +virtual network bridge and assign an IP address to it: + +@example lisp +(service static-networking-service-type + (list (static-networking + ;; The default provision is 'networking; if you're using any + ;; other service with this provision, such as + ;; `network-manager-service-type`, then you need to change the + ;; default. + (provision '(static-networking)) + (links + (list (network-link + (name "virbr0") + (type 'bridge) + (arguments '((stp_state . 1)))))) + (addresses + (list (network-address + (device "virbr0") + (value "192.168.10.1/24"))))))) +@end example + +@subsection Running dnsmasq for the virtual network bridge + +The @code{dnsmasq-service-type} can be used to provide DNS and DHCP for +guests connected to this virtual network switch: + +@example lisp +(service dnsmasq-service-type + (dnsmasq-configuration + ;; You can have multiple instances of `dnsmasq-service-type` as long + ;; as each one has a different provision. + (provision '(dnsmasq-virbr0)) + (extra-options (list + ;; Only bind to the virtual bridge. This + ;; avoids conflicts with other running + ;; dnsmasq instances. + "--except-interface=lo" + "--interface=virbr0" + "--bind-dynamic" + ;; IPv4 addresses to offer to VMs. This + ;; should match the chosen subnet. + "--dhcp-range=192.168.10.2,192.168.10.254")))) +@end example + +@subsection Configuring NAT for the virtual network switch + +If you intend to use the virtual network switch in NAT mode, you will +need to use nftables (or iptables) rules to set up IP masquerading. The +following example shows how to use @code{nftables-service-type} to do +this: + +@example lisp +(service nftables-service-type + (nftables-configuration + (ruleset + (plain-file "nftables.conf" + "\ +table inet filter @{ + + chain input @{ + type filter hook input priority filter; policy drop; + # Add your existing packet filtering rules here... + iifname virbr0 udp dport 67 counter accept comment \"allow dhcp on virbr0\" + iifname virbr0 meta l4proto @{tcp, udp@} th dport 53 accept \\ + comment \"allow dns on virbr0\" + @} + + chain forward @{ + type filter hook forward priority filter; policy drop; + # Add your existing forwarding rules here... + iifname virbr0 accept comment \"allow outbound traffic from virbr0\" + oifname virbr0 ct state @{established, related @} accept \\ + comment \"allow established traffic to virbr0\" + @} + +@} + +table inet nat @{ + chain postrouting @{ + type nat hook postrouting priority srcnat; policy accept; + # Add your existing nat rules here... + iifname virbr0 ip daddr @{ 224.0.0.0/24, 255.255.255.255/32 @} return \\ + comment \"don't masquerade to reserved address blocks\" + iifname virbr0 oifname != virbr0 masquerade \\ + comment \"masquerade all outgoing traffic from VMs\" + @} +@} +")))) +@end example + +Ensure that you have IPv4 forwarding enabled (you can use +@code{sysctl-service-type} for this). + @c ********************************************************************* @node Advanced package management @chapter Advanced package management