KVM (Kernel-mode Virtual Machine)

Tom Eastep

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License.



Kernel-mode Virtual Machines (http://kvm.qumranet.com/) is a virtualization platform that leverages the virtualization capabilities available with current microprocessors from both Intel™ and AMD™. For an overview of KVM, please see my 2008 Linuxfest Northwest presentation.

I use KVM to implement a number of virtual machines running various Linux Distributions. The following diagram shows the entire network.

My personal laptop (Ursa) hosts the virtual machines. As shown in the diagram, Ursa has routes to the Internet through both the Linksys™ WRT300N and through my Shorewall firewall. This allows me to test the Shorewall Multi-ISP feature.

The Linux Bridges shown in the diagram are, of course, actually within their associated system (Firewall or Ursa) but I've pictured them separately.

Networking Configuration

I use a network configuration where each VM has its own VNET and tap device and the tap devices are all configured as ports on a Linux Bridge. For clarity, I've only shown four of the virtual machines available on the system.

I run dmsmasq to act as a DHCP server and name server for the VMs.

The bridge is configured using the script described in my Linuxfest presentation linked above. The script may be found at https://shorewall.org/pub/shorewall/contrib/kvm/kvm.

With this configuration, and with only a single network interface on the laptop, this is just a simple two-interface masquerading setup where the local network interface is br0. As with all bridges, br0 must be configured with the routeback option in shorewall-interfaces(5).

For additional information about this setup, including the Shorewall configuration, see https://shorewall.org/MultiISP.html#Shared


Frequently Used Articles

- FAQs - Manpages - Configuration File Basics - Beginner Documentation - Troubleshooting

Shorewall 4.4/4.5/4.6 Documentation

Shorewall 4.0/4.2 Documentation

Shorewall 5.0/5.1/5.2 HOWTOs and Other Articles

- 6to4 and 6in4 Tunnels - Accounting - Actions - Aliased (virtual) Interfaces (e.g., eth0:0) - Anatomy of Shorewall - Anti-Spoofing Measures - AUDIT Target support - Bandwidth Control - Blacklisting/Whitelisting - Bridge/Firewall - Building Shorewall from GIT - Commands - Compiled Programs - Configuration File Basics - DHCP - DNAT - Docker - Dynamic Zones - ECN Disabling by host or subnet - Events - Extension Scripts - Fallback/Uninstall - FAQs - Features - Fool's Firewall - Forwarding Traffic on the Same Interface - FTP and Shorewall - Helpers/Helper Modules - Installation/Upgrade - IPP2P - IPSEC - Ipsets - IPv6 Support - ISO 3661 Country Codes - Kazaa Filtering - Kernel Configuration - KVM (Kernel-mode Virtual Machine) - Limiting Connection Rates - Linux Containers (LXC) - Linux-vserver - Logging - Macros - MAC Verification - Manpages - Manual Chains - Masquerading - Multiple Internet Connections from a Single Firewall - Multiple Zones Through One Interface - My Shorewall Configuration - Netfilter Overview - Network Mapping - No firewalling of traffic between bridge port - One-to-one NAT - Operating Shorewall - OpenVPN - OpenVZ - Packet Marking - Packet Processing in a Shorewall-based Firewall - 'Ping' Management - Port Forwarding - Port Information - Port Knocking (deprecated) - Port Knocking, Auto Blacklisting and Other Uses of the 'Recent Match' - PPTP - Proxy ARP - QuickStart Guides - Release Model - Requirements - Routing and Shorewall - Routing on One Interface - Samba - Shared Shorewall/Shorewall6 Configuration - Shorewall Events - Shorewall Init - Shorewall Lite - Shorewall on a Laptop - Shorewall Perl - Shorewall Setup Guide - SMB - SNAT - Split DNS the Easy Way - Squid with Shorewall - Starting/stopping the Firewall - Static (one-to-one) NAT - Support - Tips and Hints - Traffic Shaping/QOS - Simple - Traffic Shaping/QOS - Complex - Transparent Proxy - UPnP - Upgrade Issues - Upgrading to Shorewall 4.4 (Upgrading Debian Lenny to Squeeze) - VPN - VPN Passthrough - White List Creation - Xen - Shorewall in a Bridged Xen DomU - Xen - Shorewall in Routed Xen Dom0

Top of Page