[Lxc-users] Forwarding packets from host to container

Nirmal Guhan vavatutu at gmail.com
Wed Jan 12 22:07:16 UTC 2011


On Wed, Jan 12, 2011 at 1:45 PM, Daniel Lezcano <daniel.lezcano at free.fr> wrote:
> On 01/12/2011 10:28 PM, Nirmal Guhan wrote:
>>
>> On Wed, Jan 12, 2011 at 12:42 PM, Daniel Lezcano<daniel.lezcano at free.fr>
>>  wrote:
>>>
>>> On 01/12/2011 02:25 AM, Nirmal Guhan wrote:
>>>>
>>>> Hi,
>>>>
>>>> How do I forward packets (ethernet frames included) from host to
>>>> container. I plan to run a packet capture program (tcpdump for
>>>> instance) within container that will capture the packets coming to
>>>> host eth1 interface. I tried both using bridge and iptables but they
>>>> do not seem to help.
>>>>
>>>> iptables -A FORWARD -i eth1 -o br1 -j ACCEPT  and/or
>>>> iptables -A FORWARD -i eth1 -o vethZtPPol -j ACCEPT
>>>>
>>>> Instead of the above, I also tried adding host eth1 to br1 but still
>>>> tcpdump from container cannot see the packets sent to eth1 from
>>>> external world.
>>>>
>>>> I use fedora 12 for both host and container.
>>>>
>>>> xc.network.type = veth
>>>> lxc.network.link = br1
>>>> lxc.network.name = eth1
>>>> lxc.network.flags = up
>>>> lxc.network.mtu = 1500
>>>
>>> What about just moving the physical eth1 within the container directly
>>> instead of trying to forward the trafic ?
>>>
>> Curious to know how to achieve that!!
>
> lxc.network.type = phys
> lxc.network.link = eth1
> lxc.network.name = eth1
> lxc.network.flags = up
>
> Of course, the host won't be able to use this interface while it is in the
> container ;)
>
>> Meanwhile, I might still need
>> the eth1 in host for other reasons. I just need the packet capturing
>> utility to work inside the container and capture the packets sent over
>> eth1 to *wherever*.
>
> Mmh, hard to achieve. The network is isolated and you are trying to get rid
> of it.
> Maybe the bonding is a good alternative to the bridge, not sure ...
>
> http://en.wikipedia.org/wiki/Channel_bonding
>
> But lxc should be modified to take care of it at the configuration level.
>
>  -- Daniel
>
Thanks. I was thinking adding host eth1 and container eth1 to the same
bridge (as done now), container veth should be able to see the
ethernet frames. It actually sees some packets (like echo reply) but
not all. Am I missing anything?
~nirmal




More information about the lxc-users mailing list