Now that I do play around with Open vSwitch I wanted to create a hidden bridge in front of my virtual systems which is a VM itself. All traffic should basically pass that virtual system.
My Open vSwitch configuration is pretty simple. There’s a switch (a switch basically is a bridge, in case you wonder why ovs-vsctl shows a bridge and I do refer to it as a switch) called ovs-host which connects the physical port eth0 with my virtual device veth114-host (which is the first nic of my vm 114). Then there is a second switch called ovs-bridge which connects another virtual nic of vm 114 with multiple virtual systems (look out for veth*).
root@nyota:~# ovs-vsctl show 16063541-b8fa-4b1d-b4e3-66e483b168db Bridge ovs-host Port ovs-host Interface ovs-host type: internal Port "eth0" Interface "eth0" Port "veth114-host" Interface "veth114-host" Bridge ovs-bridge Port "veth103" Interface "veth103" Port "veth100" Interface "veth100" Port "veth200" Interface "veth200" Port "veth101" Interface "veth101" Port ovs-bridge Interface ovs-bridge type: internal Port "veth114-bridge" Interface "veth114-bridge"
So, simple said: VM 114 has two virtual nics, the first one is at switch ovs-host and hence connected to the internet, the second one is at switch ovs-bridge in which all virtual systems are. All virtual systems will need to pass vm 114 to reach the internet – perfect for a firewall, isn’t it?
VM 114 / Linux Bridge Setup
Setup the bridge using
brctl addbr br0
Add both interfaces to it
brctl addif br0 ens3 brctl addif br0 ens21
Activate all three interfaces
ip link set ens3 up ip link set ens21 up ip link set br0 up
Well – and that’s all. I am able to ping VM 101 through VM 114. This is a hidden bridge, because it does not appear in traceroute/tracepath and it does not have an IP:
root@nyota:~# traceroute x.x.x.132 traceroute to x.x.x.132 (x.x.x.132), 30 hops max, 60 byte packets 1 x.x.eu (x.x.x.132) 0.426 ms 0.410 ms 0.389 ms