There are two approaches to KVM networking in libvirt: network address translation (NAT) and bridged networking. Network address translation is the default method, and bridged networking is meant only for very specific infrastructures.
For most admins, it’s best to start by understanding how KVM networking works in the default setup. By learning to navigate the NAT configuration files for network address translation, you'll also become familiar with the settings if you want to create a custom setup. You could, for instance, create multiple NAT interfaces that allow you to change network traffic between different machines.
NAT configuration files
You can find the NAT configuration for the default network address translation in the file /usr/share/libvirt/networks/default.xml. Here’s an example of what it looks like:
[root@flo networks]# cat default.xml
<bridge name="virbr0" />
<ip address="192.168.122.1" netmask="255.255.255.0">
<range start="192.168.122.2" end="192.168.122.254" />
The NAT configuration file names the network device first. It’s a bit confusing, but the default for network address translation is a KVM network bridge device. The NAT configuration then defines IP addresses. The KVM network bridge has its own IP address and a range of associated IP addresses that can be assigned to VMs using the Dynamic Host Configuration Protocol. You can change these KVM networking parameters by modifying the configuration file and restarting the network or by using the graphical management interface in virt-manager, KVM’s virtual machine manager.
Using the virsh net-listcommand, you can automatically start the default NAT interface. After you start the physical host, you’ll see a virbr0 device. When you start the VMs, they’ll connect to this device and use network address translation to connect to one another and the host. This NAT configuration shows how two VMs have their network interface cards (NICs) connected to the virbr0 device.
[root@flo networks]# brctl show
|Bridge name||Bridge ID||STP enabled||Interfaces|
Each VM’s configuration file also indicates which network connects that VM to the host. For example:
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
In this VM’s configuration, the VM is connected through the host’s default network, but you’re free to connect to other network adapters on the host for more versatile KVM networking.
To implement the virtual network, the host automatically sets up IP forwarding, as well as iptables rules that create the network address translation device. IP forwarding is specified in the /proc/sys/net/ipv4/ip_forward file, which must contain the value 1 to enable the forwarding. The iptables rules are written to the Prerouting, Postrouting and Forward chains in the NAT table on the host. Make sure you don’t change them by accident, because that will break KVM networking connections to your host.
This was first published in May 2011