[Libvir] Port forwarding

What do people think about adding port forwarding to network configurations? At the moment it's unnecessarily difficult to connect to (eg.) sshd port or remote desktop port on a virtual machine running under the virtual network configuration. If those ports could be mapped to consecutive ports on the public (eth0) interface then connecting would be simply a matter of knowing the port number. AFAICS this could be implemented by adding rules such as these to the iptables: iptables -t nat -A PREROUTING -i $EXTIF -p tcp --dport 80 \ -j DNAT --to-destination 192.168.122.5 iptables -A FORWARD -i $EXTIF -p tcp --dport 80 -j ACCEPT iptables -t nat -A PREROUTING -i $INTIF -p tcp -d $EXTIP --dport 80 \ -j DNAT --to-destination 192.168.122.5 iptables -A FORWARD -i $INTIF -p tcp -d $EXTIP --dport 80 -j ACCEPT (rules taken from http://www.ma.utexas.edu/users/stirling/computergeek/server.html) Rich. PS. I'm assuming that this is _not_ what the current /network/forward XML does? It seems to enable forwarding for a single privileged guest as far as I can work out. -- Emerging Technologies, Red Hat - http://et.redhat.com/~rjones/ Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SL4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 03798903

On Tue, Dec 04, 2007 at 12:08:15PM +0000, Richard W.M. Jones wrote:
What do people think about adding port forwarding to network configurations?
A good idea. Mark had forwarding on his original spec, but it was not implemented at the time.
At the moment it's unnecessarily difficult to connect to (eg.) sshd port or remote desktop port on a virtual machine running under the virtual network configuration. If those ports could be mapped to consecutive ports on the public (eth0) interface then connecting would be simply a matter of knowing the port number.
AFAICS this could be implemented by adding rules such as these to the iptables:
iptables -t nat -A PREROUTING -i $EXTIF -p tcp --dport 80 \ -j DNAT --to-destination 192.168.122.5 iptables -A FORWARD -i $EXTIF -p tcp --dport 80 -j ACCEPT iptables -t nat -A PREROUTING -i $INTIF -p tcp -d $EXTIP --dport 80 \ -j DNAT --to-destination 192.168.122.5 iptables -A FORWARD -i $INTIF -p tcp -d $EXTIP --dport 80 -j ACCEPT
(rules taken from http://www.ma.utexas.edu/users/stirling/computergeek/server.html)
Rich.
PS. I'm assuming that this is _not_ what the current /network/forward XML does? It seems to enable forwarding for a single privileged guest as far as I can work out.
Yes, that is correct. If you have <forward/> Then outbound NAT is enabled from the bridge to any physical devic. If you have <forward dev='eth0'/> Then outbound NAT is enabled from the bridge, but only allowed to eth0. If routing rules would send it elsewhere, its blocked. If you don't have any, then the network is totally isolated. In all three of those scenarios inbound port-forwarding is a reasonable idea. The hardpart is deciding on the inbound physical NIC to use. The 'default' network has its rules explicitly setup to not care about physical NICs so that it works even if NetworkManager switches you between eth0 & eth1. I guess the user will justhave to add port forard rules as they need... Dan. -- |=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=| |=- Perl modules: http://search.cpan.org/~danberr/ -=| |=- Projects: http://freshmeat.net/~danielpb/ -=| |=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|

On Tue, Dec 04, 2007 at 01:40:51PM +0000, Daniel P. Berrange wrote:
On Tue, Dec 04, 2007 at 12:08:15PM +0000, Richard W.M. Jones wrote:
What do people think about adding port forwarding to network configurations?
A good idea. Mark had forwarding on his original spec, but it was not implemented at the time.
At the moment it's unnecessarily difficult to connect to (eg.) sshd port or remote desktop port on a virtual machine running under the virtual network configuration. If those ports could be mapped to consecutive ports on the public (eth0) interface then connecting would be simply a matter of knowing the port number.
AFAICS this could be implemented by adding rules such as these to the iptables:
iptables -t nat -A PREROUTING -i $EXTIF -p tcp --dport 80 \ -j DNAT --to-destination 192.168.122.5 iptables -A FORWARD -i $EXTIF -p tcp --dport 80 -j ACCEPT iptables -t nat -A PREROUTING -i $INTIF -p tcp -d $EXTIP --dport 80 \ -j DNAT --to-destination 192.168.122.5 iptables -A FORWARD -i $INTIF -p tcp -d $EXTIP --dport 80 -j ACCEPT
Oh, the other hard part is figuring out what IP address corresponds to what virtual domain. We've no easy way to get that info back from dnsmasq at this time. One option is for libvirt to keep track of IP address <-> VM mappings and pass this info to dnsmasq via its --dhcp-hostsfile arg. This would also let us expose ability for user to give fixed mappings in the XML if we wanted.
(rules taken from http://www.ma.utexas.edu/users/stirling/computergeek/server.html)
Rich.
PS. I'm assuming that this is _not_ what the current /network/forward XML does? It seems to enable forwarding for a single privileged guest as far as I can work out.
Yes, that is correct.
If you have
<forward/>
Then outbound NAT is enabled from the bridge to any physical devic.
If you have
<forward dev='eth0'/>
Then outbound NAT is enabled from the bridge, but only allowed to eth0. If routing rules would send it elsewhere, its blocked.
If you don't have any, then the network is totally isolated.
In all three of those scenarios inbound port-forwarding is a reasonable idea.
The hardpart is deciding on the inbound physical NIC to use. The 'default' network has its rules explicitly setup to not care about physical NICs so that it works even if NetworkManager switches you between eth0 & eth1.
I guess the user will justhave to add port forard rules as they need...
Dan. -- |=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=| |=- Perl modules: http://search.cpan.org/~danberr/ -=| |=- Projects: http://freshmeat.net/~danielpb/ -=| |=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|
-- Libvir-list mailing list Libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
-- |=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=| |=- Perl modules: http://search.cpan.org/~danberr/ -=| |=- Projects: http://freshmeat.net/~danielpb/ -=| |=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|

On Tue, 2007-12-04 at 12:08 +0000, Richard W.M. Jones wrote:
What do people think about adding port forwarding to network configurations?
No question that it'd be a very useful feature ... But, apart from everything Dan pointed out, there is the problem that this isn't really network configuration, but rather host configuration - i.e. what's being configured here is the per-host port range and having this in the per-network configuration introduces the obvious potential for conflicts. No easy solution to that though, so maybe just leave the user sort it out. Cheers, Mark.
participants (3)
-
Daniel P. Berrange
-
Mark McLoughlin
-
Richard W.M. Jones