Re: [Qemu-devel] Adding support for Stateless Static NAT for TAP devices

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: Dennis Jacobfeuerborn <dennisml@conversis.de>
To: John Basila <jbasila@checkpoint.com>
Cc: Stefan Hajnoczi <stefanha@gmail.com>,
	Anthony Liguori <aliguori@us.ibm.com>,
	Rusty Russell <rusty@rustcorp.com.au>,
	"netfilter@vger.kernel.org" <netfilter@vger.kernel.org>,
	"qemu-devel@nongnu.org" <qemu-devel@nongnu.org>
Subject: Re: [Qemu-devel] Adding support for Stateless Static NAT for TAP devices
Date: Thu, 30 Aug 2012 14:38:05 +0200	[thread overview]
Message-ID: <503F5EAD.3070008@conversis.de> (raw)
In-Reply-To: <7F9A6D26EB51614FBF9F81C0DA4CFEC8026E2BC562D6@il-ex01.ad.checkpoint.com>

On 08/30/2012 12:58 PM, John Basila wrote:
> Please allow me to add a few comments:
> 
> The problem here is related to the fact that QEMU is executed with multiple instances and all instances start from the same snapshot, thus if they all send a UDP DNS query, they will all create a packet - for example - 10.0.0.2:2345 -> DNSERVER:53. The source port is the same. The first packet that reaches the ipfilter will result in going over the iptables rules and get NATed properly, the second QEMU instance that will send the same UDP packet will not get to run over the iptables rules as the ipfilter already saw this packet and the packet should be "RELATED" to a different connection and thus will cause the response packets of machine B to be received via machine A as the NAT rule will de-NAT the return packet to to the relevant connection which is related to machine A.
> 
> John
> 
> -----Original Message-----
> From: Stefan Hajnoczi [mailto:stefanha@gmail.com] 
> Sent: Thursday, August 30, 2012 1:44 PM
> To: John Basila
> Cc: qemu-devel@nongnu.org; Anthony Liguori; Rusty Russell; netfilter@vger.kernel.org
> Subject: Re: Adding support for Stateless Static NAT for TAP devices
> 
> On Thu, Aug 30, 2012 at 10:27 AM, John Basila <jbasila@checkpoint.com> wrote:
>> I have tried NAT and this is why I came up with this feature.
> 
> QEMU's net/tap.c is the wrong place to add NAT code.  The point of tap is to use the host network stack.  If you want userspace networking, use -netdev user or -netdev socket.
> 
> Please look into iptables more.  I have CCed the netfilter mailing list.  The question is:
> 
> The host has several tap interfaces (tap0, tap1, ...) and the machine on the other end of each tap interface uses IP address 10.0.0.2.  So we have:
> 
> tap0 <-> virtual machine #0 (10.0.0.2)
> tap1 <-> virtual machine #1 (10.0.0.2)
> tap2 <-> virtual machine #2 (10.0.0.2)
> 
> Because the virtual machines all use the same static IP address, they cannot communicate with each other or the outside world (they fight over ARP).  We'd like to NAT the tap interfaces:
> 
> tap0 <-> virtual machine #0 (10.0.0.2 NAT to 192.168.0.2)
> tap1 <-> virtual machine #1 (10.0.0.2 NAT to 192.168.0.3)
> tap2 <-> virtual machine #2 (10.0.0.2 NAT to 192.168.0.4)
> 
> This would allow the virtual machines to communicate even though each believes it is 10.0.0.2.
> 
> How can this be done using iptables and friends?

Why do the systems have the same IP? That seems like a broken network
config to me.

Regards,
  Dennis

next prev parent reply	other threads:[~2012-08-30 12:38 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-08-30  6:12 [Qemu-devel] Adding support for Stateless Static NAT for TAP devices John Basila
2012-08-30  9:14 ` Stefan Hajnoczi
2012-08-30  9:27   ` John Basila
2012-08-30 10:43     ` Stefan Hajnoczi
2012-08-30 10:58       ` John Basila
2012-08-30 11:43         ` Ivan Shmakov
2012-08-30 12:38         ` Dennis Jacobfeuerborn [this message]
2012-08-30 13:32           ` John Basila
2012-09-01 10:37 ` Blue Swirl

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=503F5EAD.3070008@conversis.de \
    --to=dennisml@conversis.de \
    --cc=aliguori@us.ibm.com \
    --cc=jbasila@checkpoint.com \
    --cc=netfilter@vger.kernel.org \
    --cc=qemu-devel@nongnu.org \
    --cc=rusty@rustcorp.com.au \
    --cc=stefanha@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).