8.2. Bridged networking with libvirt

Bridged networking (also known as physical device sharing) is used for dedicating a physical device to a virtual machine. Bridging is often used for more advanced setups and on servers with multiple network interfaces.

Disable Xen network scripts

If your system was using a Xen bridge, it is recommended to disable the default Xen network bridge by editing /etc/xen/xend-config.sxp and changing the line:

 (network-script network-bridge)

To:

 (network-script /bin/true)

Disable NetworkManager

NetworkManager does not support bridging. NetworkManager must be disabled to use the older network scripts networking.

# chkconfig NetworkManager off
# chkconfig network on
# service NetworkManager stop
# service network start

Note

Instead of turning off NetworkManager, you can add "NM_CONTROLLED=no" to the ifcfg-* scripts used in the examples.

Creating network initscripts

Create or edit the following two network configuration files. This step can be repeated (with different names) for additional network bridges.

Change to the /etc/sysconfig/network-scripts directory:

# cd /etc/sysconfig/network-scripts

Open the network script for the device you are adding to the bridge. In this example, ifcfg-eth0 defines the physical network interface which is set as part of a bridge:

DEVICE=eth0
# change the hardware address to match the hardware address your NIC uses
HWADDR=00:16:76:D6:C9:45
ONBOOT=yes
BRIDGE=br0

Tip

You can configure the device's Maximum Transfer Unit (MTU) by appending an MTU variable to the end of the configuration file.

MTU=9000

Create a new network script in the /etc/sysconfig/network-scripts directory called ifcfg-br0 or similar. The br0 is the name of the bridge, this can be anything as long as the name of the file is the same as the DEVICE parameter.

DEVICE=br0
TYPE=Bridge
BOOTPROTO=dhcp
ONBOOT=yes
DELAY=0

Warning

The line, TYPE=Bridge, is case-sensitive. It must have uppercase 'B' and lower case 'ridge'.

After configuring, restart networking or reboot.

# service network restart

Configure iptables to allow all traffic to be forwarded across the bridge.

# iptables -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT
# service iptables save
# service iptables restart

Disable iptables on bridges

Alternatively, prevent bridged traffic from being processed by iptables rules. In /etc/sysctl.conf append the following lines:

net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0

Reload the kernel parameters configured with sysctl

# sysctl -p /etc/sysctl.conf

Restart the libvirt daemon.

# service libvirtd reload

You should now have a "shared physical device", which guests can be attached and have full LAN access. Verify your new bridge:

# brctl show
bridge name     bridge id               STP enabled     interfaces
virbr0          8000.000000000000       yes
br0             8000.000e0cb30550       no              eth0

Note, the bridge is completely independent of the virbr0 bridge. Do not attempt to attach a physical device to virbr0. The virbr0 bridge is only for Network Address Translation (NAT) connectivity.