[Lxc-users] Forwarding packets from host to container

Nirmal Guhan vavatutu at gmail.com
Thu Jan 13 02:14:39 UTC 2011


On Wed, Jan 12, 2011 at 2:07 PM, Nirmal Guhan <vavatutu at gmail.com> wrote:
> On Wed, Jan 12, 2011 at 1:45 PM, Daniel Lezcano <daniel.lezcano at free.fr> wrote:
>> On 01/12/2011 10:28 PM, Nirmal Guhan wrote:
>>>
>>> On Wed, Jan 12, 2011 at 12:42 PM, Daniel Lezcano<daniel.lezcano at free.fr>
>>>  wrote:
>>>>
>>>> On 01/12/2011 02:25 AM, Nirmal Guhan wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>> How do I forward packets (ethernet frames included) from host to
>>>>> container. I plan to run a packet capture program (tcpdump for
>>>>> instance) within container that will capture the packets coming to
>>>>> host eth1 interface. I tried both using bridge and iptables but they
>>>>> do not seem to help.
>>>>>
>>>>> iptables -A FORWARD -i eth1 -o br1 -j ACCEPT  and/or
>>>>> iptables -A FORWARD -i eth1 -o vethZtPPol -j ACCEPT
>>>>>
>>>>> Instead of the above, I also tried adding host eth1 to br1 but still
>>>>> tcpdump from container cannot see the packets sent to eth1 from
>>>>> external world.
>>>>>
>>>>> I use fedora 12 for both host and container.
>>>>>
>>>>> xc.network.type = veth
>>>>> lxc.network.link = br1
>>>>> lxc.network.name = eth1
>>>>> lxc.network.flags = up
>>>>> lxc.network.mtu = 1500
>>>>
>>>> What about just moving the physical eth1 within the container directly
>>>> instead of trying to forward the trafic ?
>>>>
>>> Curious to know how to achieve that!!
>>
>> lxc.network.type = phys
>> lxc.network.link = eth1
>> lxc.network.name = eth1
>> lxc.network.flags = up
>>
>> Of course, the host won't be able to use this interface while it is in the
>> container ;)
>>
>>> Meanwhile, I might still need
>>> the eth1 in host for other reasons. I just need the packet capturing
>>> utility to work inside the container and capture the packets sent over
>>> eth1 to *wherever*.
>>
>> Mmh, hard to achieve. The network is isolated and you are trying to get rid
>> of it.
>> Maybe the bonding is a good alternative to the bridge, not sure ...
>>
>> http://en.wikipedia.org/wiki/Channel_bonding
>>
>> But lxc should be modified to take care of it at the configuration level.
>>
>>  -- Daniel
>>
> Thanks. I was thinking adding host eth1 and container eth1 to the same
> bridge (as done now), container veth should be able to see the
> ethernet frames. It actually sees some packets (like echo reply) but
> not all. Am I missing anything?
> ~nirmal
>
I worked it around by capturing the packet in eth1 and fwding it to
the veth of container using libpcap.
~Nirmal




More information about the lxc-users mailing list