Dear list, It seems that the host-only interface (vbox 4.1.12-dfsg-2ubuntu0.2) reacts differently than an ethernet or TUN/TAP interface regarding NAT, so that some standard maintenance procedures do not work with virtualbox machines while same process is applicable to real network. It might be that this is just a configuration issue, but also a bug in the vbox network adapter packet traversal code could be possible. I have read through [1], but until now have no clue, what could be wrong.
Description of reproducer: virtualbox guest and host are connected via host-only network, guest can reach host via TCP and vice versa. With following simple NAT configuration, data transfer does not work any more (see [2] for complete reproducer): Guest: Open connection to host-ip:22 Host: DNAT host-ip to guest-ip and SNAT source to host-ip, forward packet back to guest via host-only interface Guest: fails to see the packet. The strange thing is, that tcpdump on host reports the packet to be sent back to the guest (IP, MAC correct), but the guest does not receive it (no tcpdump confirmation of incoming traffic in guest). Could it be that the vbox host-only network code contains some magic, that does not allow routing back of packets to the link they came from, e.g. when skbuf was created from data from same interface to be sent to? Does anyone familiar with the host-only networking core code know, if this could work? Might it be a software bug or configuration issue? Kind regards, hd [1] http://www.virtualbox.org/manual/ch06.html [2] Reproducer: * Reference setup with vde tools - working as expected: Create a test-network using virtual distributed ethernet. One could also use 2 real machines with real ethernet interfaces, that would work also. Host has IP 10.0.1.1/24, guest has IP 10.0.1.2/24 -- this is just for forwarding the vde-traffic VDE-interfaces for NAT: 10.0.0.1 and 10.0.0.2 (these are relevant for tcpdump verification, all test traffic runs via those) ** In virtualbox: _vdeTest_switchDir="$(mktemp -d)/sock" vde_switch -sock "${_vdeTest_switchDir}" -mod 0600 -tap vdetesttap < /dev/null & socat TCP4-LISTEN:1234,reuseaddr=1,fork=1 "EXEC:vde_plug -m 0600 ${_vdeTest_switchDir}" & ip link set vdetesttap up ip addr add 10.0.0.1/24 dev vdetesttap iptables -I OUTPUT 1 -o vdetesttap -j ACCEPT iptables -I INPUT 1 -i vdetesttap -j ACCEPT ** Outside virtualbox: _vdeTest_switchDir="$(mktemp -d)/sock" vde_switch -sock "${_vdeTest_switchDir}" -mod 0600 -tap vdetesttap < /dev/null & socat TCP4:10.0.1.2:1234 "EXEC:vde_plug -m 0600 ${_vdeTest_switchDir}" & ip link set vdetesttap up ip addr add 10.0.0.2/24 dev vdetesttap echo 1 > /proc/sys/net/ipv4/conf/vdetesttap/forwarding iptables -I OUTPUT 1 -o vdetesttap -j ACCEPT iptables -I INPUT 1 -i vdetesttap -j ACCEPT iptables -I FORWARD 1 -i vdetesttap -j ACCEPT iptables -t nat -A PREROUTING -i vdetesttap --destination 10.0.0.2 -j DNAT --to-destination 10.0.0.1 iptables -t nat -A POSTROUTING -o vdetesttap --destination 10.0.0.1 -j SNAT --to-source 10.0.0.2 ** Run the test: Open some listening port in guest Connect in guest to same port on host, e.g. "nc -vn 10.0.0.2 22" Host natted connection back to guest, guest opens TCP port, data traffic works. * Negative-test with vbox host-only network: Use same IPs from TAP-interfaces from previous test on host-only interfaces. ** In virtualbox: ip addr flush dev eth0 ip addr add 10.0.0.1/24 dev eth0 iptables -I OUTPUT 1 -o eth0 -j ACCEPT iptables -I INPUT 1 -i eth0 -j ACCEPT ** Outside virtualbox: ip addr add 10.0.0.2/24 dev vboxnet0 echo 1 > /proc/sys/net/ipv4/conf/vboxnet0/forwarding iptables -I OUTPUT 1 -o vboxnet0 -j ACCEPT iptables -I INPUT 1 -i vboxnet0 -j ACCEPT iptables -I FORWARD 1 -i vboxnet0 -j ACCEPT iptables -t nat -A PREROUTING -i vboxnet0 --destination 10.0.0.2 -j DNAT --to-destination 10.0.0.1 iptables -t nat -A POSTROUTING -o vboxnet0 --destination 10.0.0.1 -j SNAT --to-source 10.0.0.2 ** Run the test: Same as before, but test is failing. Guest sends SYN to host, host receives it, performs NAT, sends it out to guest (seen in tcpdump), but guest does not receive it. *** Guest TCP-dump: SYN sent, no reply, retransmit 1 second later (also failing) 19:49:36.607352 08:00:27:1a:25:99 > 0a:00:27:00:00:00, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 38476, offset 0, flags [DF], proto TCP (6), length 60) 10.0.0.1.54356 > 10.0.0.2.22: Flags [S], cksum 0x1431 (incorrect -> 0x325a), seq 207568127, win 14600, options [mss 1460,sackOK,TS val 2337459 ecr 0,nop,wscale 3], length 0 0x0000: 4500 003c 964c 4000 4006 906d 0a00 0001 0x0010: 0a00 0002 d454 0016 0c5f 3cff 0000 0000 0x0020: a002 3908 1431 0000 0204 05b4 0402 080a 0x0030: 0023 aab3 0000 0000 0103 0303 19:49:37.607023 08:00:27:1a:25:99 > 0a:00:27:00:00:00, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 38477, offset 0, flags [DF], proto TCP (6), length 60) *** Host tcpdump: SYN received, NATed, sent back: length 74: (tos 0x0, ttl 64, id 38479, offset 0, flags [DF], proto TCP (6), length 60) 10.0.0.1.54356 > 10.0.0.2.22: Flags [S], cksum 0x2b7f (correct), seq 207568127, win 14600, options [mss 1460,sackOK,TS val 2339214 ecr 0,nop,wscale 3], length 0 0x0000: 4500 003c 964f 4000 4006 906a 0a00 0001 0x0010: 0a00 0002 d454 0016 0c5f 3cff 0000 0000 0x0020: a002 3908 2b7f 0000 0204 05b4 0402 080a 0x0030: 0023 b18e 0000 0000 0103 0303 06:25:48.532979 0a:00:27:00:00:00 > 08:00:27:1a:25:99, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 63, id 38479, offset 0, flags [DF], proto TCP (6), length 60) 10.0.0.2.54356 > 10.0.0.1.22: Flags [S], cksum 0x2b7f (correct), seq 207568127, win 14600, options [mss 1460,sackOK,TS val 2339214 ecr 0,nop,wscale 3], length 0 0x0000: 4500 003c 964f 4000 3f06 916a 0a00 0002 0x0010: 0a00 0001 d454 0016 0c5f 3cff 0000 0000 0x0020: a002 3908 2b7f 0000 0204 05b4 0402 080a 0x0030: 0023 b18e 0000 0000 0103 0303 -- http://www.halfdog.net/ PGP: 156A AE98 B91F 0114 FE88 2BD8 C459 9386 feed a bee ------------------------------------------------------------------------------ Keep yourself connected to Go Parallel: DESIGN Expert tips on starting your parallel project right. http://goparallel.sourceforge.net/ _______________________________________________ VBox-users-community mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/vbox-users-community _______________________________________________ Unsubscribe: mailto:[email protected]?subject=unsubscribe
