Network routing through veth0 / bridge for userspace QEMU VM?

I would like to filter and capture traffic from a virtual machine. This VM must run in userspace. Capturing requires root, I know (though I hope to minimise root activity needed later). The easiest way to capture and filter - as I understand - is having a dedicated, virtual network interface like vnet0 used exclusively by the VM. Then I can run tshark, tcpdump, iptables etc. on it. **How do I set up (create) the network interfaces (as root), and how do I connect to them (as non-root) with a KVM/QEMU virtual machine?** I am looking for ip commands (iproute2 style) and qemu configuration options. I have started working on interfaces like this: (root 1) ip link add br0 type bridge (root 2) ip addr add dev br0 10.10.0.1/24 (root 3) ip link set dev br0 up (root 4) ip link add vm1-host type veth peer name vm1-net (root 5) ip link set dev vm1-host master br0 (root 6) ip link set dev vm1-host up (root 7) ip tuntap add vm1-tap mode tap (root 8) ip addr add 10.10.0.2/24 dev vm1-net (root 9) ip addr add 10.0.2.2/24 dev vm1-tap (root 10) ip link set dev vm1-tap up (root 10b) echo 1 > /proc/sys/net/ipv4/ip_forward Then tried to connect with QEMU to the bridge but could not do so as a non-root user. I edited /etc/qemu/bridge.conf to allow the user to connect to the bridge via /usr/libexec/qemu-bridge-helper: (root 11) grep -v # /etc/qemu/bridge.conf allow veth0 allow vm1-tap allow vm1-host allow vm1-net (root 12) ll /usr/libexec/qemu-bridge-helper -rwsr-x--- 1 root kvm 312888 Aug 25 16:16 /usr/libexec/qemu-bridge-helper The user is indeed a member of the kvm group (id shows it). However, I get the following error message when usingvirt-manager running as $USERNAME with a bridge interface: Error starting domain: /usr/libexec/qemu-bridge-helper --use-vnet --br=vm1-tap --fd=34: failed to communicate with bridge helper: stderr=failed to add interface tap0' to bridge vm1-tap': Operation not supported : Transport endpoint is not connected Traceback (most recent call last): File "/usr/share/virt-manager/virtManager/asyncjob.py", line 72, in cb_wrapper callback(asyncjob, *args, **kwargs) File "/usr/share/virt-manager/virtManager/asyncjob.py", line 108, in tmpcb callback(*args, **kwargs) File "/usr/share/virt-manager/virtManager/object/libvirtobject.py", line 57, in newfn ret = fn(self, *args, **kwargs) File "/usr/share/virt-manager/virtManager/object/domain.py", line 1425, in startup self._backend.create() File "/usr/lib64/python3.10/site-packages/libvirt.py", line 1362, in create raise libvirtError('virDomainCreate() failed') libvirt.libvirtError: /usr/libexec/qemu-bridge-helper --use-vnet --br=vm1-tap --fd=34: failed to communicate with bridge helper: stderr=failed to add interface tap0' to bridge vm1-tap': Operation not supported : Transport endpoint is not connected Some **capabilities** may additionally be necessary? - **how do I make a user have them only for starting the VM?** Perhaps this will help? (root 13) ip tuntap add vm1-tap mode tap user $USERNAME ioctl(TUNSETIFF): Device or resource busy I experimented with commands found online but **do I need tun/tap at all?**, and I could not find the correct way to do this. References (helpful but not solutions for my problem): * [Howto setup a veth virtual network](https://superuser.com/questions/764986/howto-setup-a-veth-virtual-network) * https://unix.stackexchange.com/questions/456449/qemu-network-bridge * https://unix.stackexchange.com/questions/219952/routing-only-vm-traffic-through-vpn