[Bridge] promiscuous mode necessary for supporting KVM?

Scott Koranda skoranda at gravity.phys.uwm.edu
Sat Mar 26 13:30:58 PDT 2011


My platform is Debian Squeeze amd64:

$ /etc/network# cat /etc/issue
Debian GNU/Linux 6.0 \n \l

$ /etc/network# uname -r
2.6.32-5-amd64

I followed what I believe to be the "canonical" instructions
for deploying KVM to support virtual machines on this host. My
specific need is for the virtual machines to have static IP
addresses and be visible to the LAN.

This deployment included configuring a bridge like this:

$ cat /etc/network/interfaces
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet manual

auto br0
iface br0 inet static
address xxx.yy.zz.195
netmask 255.255.255.0
network xxx.yy.zz.0
broadcast xxx.yy.zz.255
gateway xxx.yy.zz.1
bridge_ports eth0
bridge_stp off
bridge_fd 0
bridge_maxwait 0

The bridge reports the following:

$ /etc/network# brctl show
bridge name     bridge id               STP enabled interfaces
br0             8000.0019b946d44b       no              eth0
                                                        vnet0
                                                        vnet1
                                                        vnet2
                                                        vnet3

The four VMs are using the vnetx interfaces and work exactly
as I need them to work.

A colleague, however, has written to me "The concern I have is
that apparently you must run the physical NIC in promiscuous
mode, to get bridging working with the Linux KVM module."

I want to determine if that is true.

I see the following flags set for the interfaces:

$ cat /sys/class/net/br0/flags 
0x1003
$ cat /sys/class/net/eth0/flags 
0x1103
$ cat /sys/class/net/vnet0/flags 
0x1103

My understanding is that if the 0x100 bit is set then the
interface is in promiscuous mode.

So br0 reports it is NOT in promiscuous mode but eth0 does.

How can I tell if the "physical NIC" is in promiscuous mode?

If it is in promiscuous mode, with this configuration is that
any more of a security risk?

Why are the vnetx interfaces and eth0 in (or at least
reporting) promiscuous mode? Is that so that they can "see"
each other's traffic without having to leave the host and
return?

Thank you for your input.


More information about the Bridge mailing list