qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] Adding support for Stateless Static NAT for TAP devices

From: John Basila
Subject: Re: [Qemu-devel] Adding support for Stateless Static NAT for TAP devices
Date: Thu, 30 Aug 2012 13:58:51 +0300 
Please allow me to add a few comments:

The problem here is related to the fact that QEMU is executed with multiple 
instances and all instances start from the same snapshot, thus if they all send 
a UDP DNS query, they will all create a packet - for example - 10.0.0.2:2345 -> 
DNSERVER:53. The source port is the same. The first packet that reaches the 
ipfilter will result in going over the iptables rules and get NATed properly, 
the second QEMU instance that will send the same UDP packet will not get to run 
over the iptables rules as the ipfilter already saw this packet and the packet 
should be "RELATED" to a different connection and thus will cause the response 
packets of machine B to be received via machine A as the NAT rule will de-NAT 
the return packet to to the relevant connection which is related to machine A.

John

-----Original Message-----
From: Stefan Hajnoczi [mailto:address@hidden 
Sent: Thursday, August 30, 2012 1:44 PM
To: John Basila
Cc: address@hidden; Anthony Liguori; Rusty Russell; address@hidden
Subject: Re: Adding support for Stateless Static NAT for TAP devices

On Thu, Aug 30, 2012 at 10:27 AM, John Basila <address@hidden> wrote:
> I have tried NAT and this is why I came up with this feature.

QEMU's net/tap.c is the wrong place to add NAT code.  The point of tap is to 
use the host network stack.  If you want userspace networking, use -netdev user 
or -netdev socket.

Please look into iptables more.  I have CCed the netfilter mailing list.  The 
question is:

The host has several tap interfaces (tap0, tap1, ...) and the machine on the 
other end of each tap interface uses IP address 10.0.0.2.  So we have:

tap0 <-> virtual machine #0 (10.0.0.2)
tap1 <-> virtual machine #1 (10.0.0.2)
tap2 <-> virtual machine #2 (10.0.0.2)

Because the virtual machines all use the same static IP address, they cannot 
communicate with each other or the outside world (they fight over ARP).  We'd 
like to NAT the tap interfaces:

tap0 <-> virtual machine #0 (10.0.0.2 NAT to 192.168.0.2)
tap1 <-> virtual machine #1 (10.0.0.2 NAT to 192.168.0.3)
tap2 <-> virtual machine #2 (10.0.0.2 NAT to 192.168.0.4)

This would allow the virtual machines to communicate even though each believes 
it is 10.0.0.2.

How can this be done using iptables and friends?

Thanks,
Stefan

Scanned by Check Point Total Security Gateway.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]