When I first started setting up qemu-kvm VMs for customers, I set up their internet-facing network with tap interfaces enslaved to a host bridge along with the physical network card of the host, something like
ip tuntap add dev tapN mode tap brctl addif br0 tapN ip link set tapN up qemu-kvm ... -net nic,... -net tap,ifname=tapN,script=no,downscript=no More recently on my development boxes, I've been using macvtap in the form ip link add link eth0 name guestN address MAC type macvtap mode bridge ip link set guestN up qemu-kvm ... -net nic,macaddr=MAC,... -net tap,fd=3 3<>/dev/tap$(< /sys/class/net/$1/ifindex) In the bridge-based setup, I use ebtables rules on the tapN port to prevent guests from receiving or emitting packets with the wrong MAC address, and also to prevent them from ARPing for or more generally receiving or emitting packets from IP addresses which don't belong to them. With macvtap, the setup and configuration is nicer and the MAC address restriction is built-in, but there doesn't appear to be a mechanism to apply any other filter, such as that which would be needed to restrict guests to particular IP addresses or from emitting non-IP protocols. On the other hand, the machines using the bridges appear to be much easier to DoS with packet floods than normal linux hosts, presumably because their public-facing interfaces run in promiscuous mode. Macvtap-based hosts with their simple, static configuration seem as immune as normal linux hosts with standard one-eth0-interface networking. Is there a way to get the best of both worlds? I'd love to have the static MAC setup and DoS resistance of macvtap but still be able to apply some basic filter rules, restricting VMs to the handful of ipv4/6 addresses they're entitled to. In the absence of ebtables for macvtap, is there some way I can send packets relating to a macvtap interface through netfilter, in the same way CONFIG_BRIDGE_NETFILTER would do for packets traversing a linux bridge? Best wishes, Chris.