[Qemu-discuss] use veth device with qemu

[Corin Langosch]

Hi guys,

I'd the like to run each qemu in its own netns, while still giving it full/ 
transparent network access. I can connect
qemu to the network by creating another bridge inside the guest netns with the 
veth peer and qemu tap device like this:

ip link add qemu1-h type veth peer name qemu1-g
brctl addif br0 qemu1-h
ip netns add qemu1
ip link set qemu1-g netns qemu1
ip netns exec qemu1 brctl addbr br0
ip netns exec qemu1 brctl addif br0 qemu1-g
ip netns exec qemu1 ip tuntap add tap0 mode tap
ip netns exec qemu1 brctl addif br0 tap0

ip netns exec qemu1 /opt/qemu/current/bin/qemu-system-x86_64 -enable-kvm -m 
1024 -netdev
tap,id=netdev1,ifname=tap0,script=,downscript= -device 
virtio-net-pci,id=nic1,addr=0x0a,mac=02:d6:c0:2c:ab:a1,netdev=netdev1

It works, but is there an easier (probably also more performant) solution to 
this? One without having to create another
bridge in each qemu netns and somehow use the veth peer with qemu directly?

Background information: I'm running many qemu guests with each guest having its 
own tap device on the host for
networking. For firewalling of the guests I use iptables on the host with 
connection tracking enabled (I cannot do the
firewalling inside the guests). However a single (very busy) guest can overflow 
the conntrack table on the host. As this
table is shared among all guests (and the host) this can render the whole host/ 
guests unreachable because the host
starts dropping packets/ connections. I hope (anybody knows?) conntrack is 
using separate data structures for each netns
and so putting each guest in its own netns would prevent overflowing conntrack 
on the host/ other guests.

Other suggestions to this problem are welcome.

Cheers
Corin