qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] Adding support for Stateless Static NAT for TAP devices

From: Dennis Jacobfeuerborn
Subject: Re: [Qemu-devel] Adding support for Stateless Static NAT for TAP devices
Date: Thu, 30 Aug 2012 14:38:05 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/20120827 Thunderbird/15.0 
On 08/30/2012 12:58 PM, John Basila wrote:
> Please allow me to add a few comments:
> 
> The problem here is related to the fact that QEMU is executed with multiple 
> instances and all instances start from the same snapshot, thus if they all 
> send a UDP DNS query, they will all create a packet - for example - 
> 10.0.0.2:2345 -> DNSERVER:53. The source port is the same. The first packet 
> that reaches the ipfilter will result in going over the iptables rules and 
> get NATed properly, the second QEMU instance that will send the same UDP 
> packet will not get to run over the iptables rules as the ipfilter already 
> saw this packet and the packet should be "RELATED" to a different connection 
> and thus will cause the response packets of machine B to be received via 
> machine A as the NAT rule will de-NAT the return packet to to the relevant 
> connection which is related to machine A.
> 
> John
> 
> -----Original Message-----
> From: Stefan Hajnoczi [mailto:address@hidden 
> Sent: Thursday, August 30, 2012 1:44 PM
> To: John Basila
> Cc: address@hidden; Anthony Liguori; Rusty Russell; address@hidden
> Subject: Re: Adding support for Stateless Static NAT for TAP devices
> 
> On Thu, Aug 30, 2012 at 10:27 AM, John Basila <address@hidden> wrote:
>> I have tried NAT and this is why I came up with this feature.
> 
> QEMU's net/tap.c is the wrong place to add NAT code.  The point of tap is to 
> use the host network stack.  If you want userspace networking, use -netdev 
> user or -netdev socket.
> 
> Please look into iptables more.  I have CCed the netfilter mailing list.  The 
> question is:
> 
> The host has several tap interfaces (tap0, tap1, ...) and the machine on the 
> other end of each tap interface uses IP address 10.0.0.2.  So we have:
> 
> tap0 <-> virtual machine #0 (10.0.0.2)
> tap1 <-> virtual machine #1 (10.0.0.2)
> tap2 <-> virtual machine #2 (10.0.0.2)
> 
> Because the virtual machines all use the same static IP address, they cannot 
> communicate with each other or the outside world (they fight over ARP).  We'd 
> like to NAT the tap interfaces:
> 
> tap0 <-> virtual machine #0 (10.0.0.2 NAT to 192.168.0.2)
> tap1 <-> virtual machine #1 (10.0.0.2 NAT to 192.168.0.3)
> tap2 <-> virtual machine #2 (10.0.0.2 NAT to 192.168.0.4)
> 
> This would allow the virtual machines to communicate even though each 
> believes it is 10.0.0.2.
> 
> How can this be done using iptables and friends?

Why do the systems have the same IP? That seems like a broken network
config to me.

Regards,
  Dennis
reply via email to
[Prev in Thread] Current Thread [Next in Thread]