[Qemu-devel] Bridging 802.1q tagged interfaces into a VM

[John Morrissey]

I'm trying to bridge an 802.1q tagged interface into a VM. In other words,
eth0 on the machine running QEMU/KVM is an 802.1q tagged interface, which I
place in a bridge group and attach to a VM with a tap interface, like so:

sudo kvm -hda /var/lib/libvirt/vm/jwm01.qcow -m 512 \
    -net nic,model=e1000,vlan=0 \
    -net tap,vlan=0,ifname=tap0,script=/etc/kvm/kvm-ifup

address@hidden:pts/0 /etc/kvm> cat kvm-ifup
#!/bin/sh

switch=br0
/sbin/ifconfig $1 0.0.0.0 up
/usr/sbin/brctl addif ${switch} $1
exit 0

My goal in this is to allow VMs to set up arbitrary VLAN subinterfaces.
Since our collective VMs will need to attach to nearly a dozen VLANs, I'm
trying to avoid setting up all VLANs on the QEMU/KVM host with the
concomitant bridge groups.

The problem seems to be that something is stripping the 802.1q VLAN tags
after they leave the VM. If I tcpdump(8) inside the VM on the VLAN
subinterface, I see the frames 802.1q-tagged in the correct VLAN for the
subinterface.

However, if I tcpdump the QEMU/KVM host's tap0 or eth0, the frames are
untagged. This happens regardless of whether the VLAN in question is active
on the QEMU/KVM host's Ethernet interface (i.e., even when the VLAN has been
added to the interface with 'vconfig add eth0 VLANNUM'). I'm not sure if
this is Linux kernel behavior or QEMU/KVM behavior.

FWIW, both the host and the VM are running Patrick McHardy's kernel updates
to pass VLANs correctly to network taps when the network device driver has
hardware VLAN acceleration enabled
(http://marc.info/?l=linux-netdev&m=121560557112292&w=2).

I observed the same behavior with pcap network support
(http://lists.gnu.org/archive/html/qemu-devel/2008-07/msg00045.html): frames
are tagged inside the VLAN but the tag is not present on the host's tap and
Ethernet interfaces.

Lastly, I'm a little confused about the "VLAN" terminology in the QEMU
network configuration guide. It seems QEMU has some concept of internal
"VLANs" that are QEMU-specific and separate from 802.1q tagging that can be
used to create private network connections between VMs. Is this correct?

john
-- 
John Morrissey          _o            /\         ----  __o
address@hidden        _-< \_          /  \       ----  <  \,
www.horde.net/    __(_)/_(_)________/    \_______(_) /_(_)__