diff options
author | Laine Stump <laine@redhat.com> | 2022-11-11 14:43:45 -0500 |
---|---|---|
committer | Laine Stump <laine@redhat.com> | 2023-01-09 14:24:27 -0500 |
commit | a8ee7ae301d432609718b97eb9bacc077bea2966 (patch) | |
tree | 0cf25310e1665ff236392b6422d3ff69c4c42987 /docs/formatdomain.rst | |
parent | 63fbe529fc98c8b42568e3b5eec39088ee1aef3b (diff) | |
download | libvirt-a8ee7ae301d432609718b97eb9bacc077bea2966.tar.gz |
conf: parse/format passt-related XML additions
This implements XML config to represent a subset of the features
supported by 'passt' (https://passt.top), which is an alternative
backend for emulated network devices that requires no elevated
privileges (similar to slirp, but "better").
Along with setting the backend to use passt (via <backend
type='passt'/> when the interface type='user'), we also support
passt's --log-file and --interface options (via the <backend>
subelement logFile and upstream attributes) and its --tcp-ports and
--udp-ports options (which selectively forward incoming connections to
the host on to the guest) via the new <portForward> subelement of
<interface>. Here is an example of the config for a network interface
that uses passt to connect:
<interface type='user'>
<mac address='52:54:00:a8:33:fc'/>
<ip address='192.168.221.122' family='ipv4'/>
<model type='virtio'/>
<backend type='passt' logFile='/tmp/xyzzy.log' upstream='eth0'/>
<portForward address='10.0.0.1' proto='tcp' dev='eth0'>
<range start='2022' to='22'/>
<range start='5000' end='5099' to='1000'/>
<range start='5010' end='5029' exclude='yes'/>
</portForward>
<portForward proto='udp'>
<range start='10101'/>
</portForward>
</interface>
In this case:
* the guest will be offered address 192.168.221.122 for its interface
via DHCP
* the passt process will write all log messages to /tmp/xyzzy.log
* routes to the outside for the guest will be derived from the
addresses and routes associated with the host interface "eth0".
* incoming tcp port 2022 to the host will be forwarded to port 22
on the guest.
* incoming tcp ports 5000-5099 (with the exception of ports 5010-5029)
to the host will be forwarded to port 1000-1099 on the guest.
* incoming udp packets on port 10101 will be forwarded (unchanged) to
the guest.
Signed-off-by: Laine Stump <laine@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Diffstat (limited to 'docs/formatdomain.rst')
-rw-r--r-- | docs/formatdomain.rst | 95 |
1 files changed, 83 insertions, 12 deletions
diff --git a/docs/formatdomain.rst b/docs/formatdomain.rst index 109a2ac45a..2c44f77ab6 100644 --- a/docs/formatdomain.rst +++ b/docs/formatdomain.rst @@ -4775,19 +4775,25 @@ to the interface. </devices> ... -Userspace SLIRP stack -^^^^^^^^^^^^^^^^^^^^^ +Userspace (SLIRP or passt) connection +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The ``user`` type connects the guest interface to the outside via a +transparent userspace proxy that doesn't require any special system +privileges, making it usable in cases when libvirt itself is running +with no privileges (e.g. libvirt's "session mode" daemon, or when +libvirt is run inside an unprivileged container). -Provides a virtual LAN with NAT to the outside world. The virtual network has -DHCP & DNS services and will give the guest VM addresses starting from -``10.0.2.15``. The default router will be ``10.0.2.2`` and the DNS server will -be ``10.0.2.3``. This networking is the only option for unprivileged users who -need their VMs to have outgoing access. :since:`Since 3.8.0` it is possible to -override the default network address by including an ``ip`` element specifying -an IPv4 address in its one mandatory attribute, ``address``. Optionally, a -second ``ip`` element with a ``family`` attribute set to "ipv6" can be specified -to add an IPv6 address to the interface. ``address``. Optionally, address -``prefix`` can be specified. +By default, this user proxy is done with QEMU's internal SLIRP driver +which has DHCP & DNS services that give the guest IP addresses +starting from ``10.0.2.15``, a default route of ``10.0.2.2`` and DNS +server of ``10.0.2.3``. :since:`Since 3.8.0` it is possible to override +the default network address by including an ``ip`` element specifying +an IPv4 address in its one mandatory attribute, +``address``. Optionally, a second ``ip`` element with a ``family`` +attribute set to "ipv6" can be specified to add an IPv6 address to the +interface. ``address``. Optionally, address ``prefix`` can be +specified. :: @@ -4803,6 +4809,71 @@ to add an IPv6 address to the interface. ``address``. Optionally, address </devices> ... +:since:`Since 9.0.0` an alternate backend implementation of the +``user`` interface type can be selected by setting the interface's +``<backend>`` subelement ``type`` attribute to ``passt``. In this +case, the passt transport (https://passt.top) is used. Similar to +SLIRP, passt has an internal DHCP server that provides a requesting +guest with one ipv4 and one ipv6 address; it then uses userspace +proxies and a separate network namespace to provide outgoing +UDP/TCP/ICMP sessions, and optionally redirect incoming traffic +destined for the host toward the guest instead. + +When the passt backend is used, the ``<backend>`` attribute +``logFile`` can be used to tell the passt process for this interface +where to write its message log, and the ``<backend>`` attribute +``upstream`` can tell it to restrict upstream traffic to a particular +host interface. + +Additionally, when passt is used, multiple ``<portForward>`` elements +can be added to forward incoming network traffic for the host to this +guest interface. Each ``<portForward>`` must have a ``proto`` +attribute (set to ``tcp`` or ``udp``) and optional original +``address`` (if not specified, then all incoming sessions to any host +IP for the given proto/port(s) will be forwarded to the guest). + +The decision of which ports to forward is described with zero or more +``<range>`` subelements of ``<portForward>`` (if there is no +``<range>`` then **all** ports for the given proto/address will be +forwarded). Each ``<range>`` has a ``start`` and optional ``end`` +attribute. If ``end`` is omitted then a single port will be forwarded, +otherwise all ports between ``start`` and ``end`` (inclusive) will be +forwarded. If the port number(s) should remain unmodified as the +session is forwarded, no further options are needed, but if the guest +is expecting the sessions on a different port, then this should be +specified with the ``to`` attribute of ``<range>`` - the port number +of each forwarded session in the range will be offeset by "``to`` - +``start``". A ``<range>`` element can also be used to specify a range +of ports that should **not** be forwarded. This is done by setting the +range's ``exclude`` attribute to ``yes``. This may not seem very +useful, but can be when it is desirable to forward a long range of +ports **with the exception of some subset**. + +:: + + ... + <devices> + ... + <interface type='user'> + <backend type='passt' logFile='/var/log/passt.log' upstream='eth0'/> + <mac address="00:11:22:33:44:55"/> + <ip family='ipv4' address='172.17.2.0' prefix='24'/> + <ip family='ipv6' address='2001:db8:ac10:fd01::' prefix='64'/> + <portForward proto='tcp' address='2001:db8:ac10:fd01::1:10' start='2022'> + <port start='22'/> + </portForward> + <portForward proto='udp' address='1.2.3.4' start='5000' end='5020'> + <port start='6000' end='6020'/> + </portForward> + <portForward exclude='yes' proto='tcp' address='1.2.3.4' start='5010' end='5015'/> + <portForward proto='tcp' start='80'/> + <portForward proto='tcp' start='443'> + <port start='344'/> + </portForward> + </interface> + </devices> + ... + Generic ethernet connection ^^^^^^^^^^^^^^^^^^^^^^^^^^^ |