I have tried NAT and this is why I came up with this feature. When starting multiple QEMU instances from the same snapshot image, the Guest OS in all instances from the same state and if they start a connection to the DNS server for example, they will all use the same source port. The iptables will NAT the first packet it sees, but when the second QEMU instance sends the same packet, the iptables will match the already NATed connection and thus cause problems from returning packets.
Using the SSNAT, this solves the problem by allowing a unique connection to be observed by the iptables. Regarding the vhost=on, I can disallow the use of both which I think is fair. John -----Original Message----- From: Stefan Hajnoczi [mailto:stefa...@gmail.com] Sent: Thursday, August 30, 2012 12:14 PM To: John Basila Cc: qemu-devel@nongnu.org; Anthony Liguori Subject: Re: Adding support for Stateless Static NAT for TAP devices On Thu, Aug 30, 2012 at 09:12:19AM +0300, John Basila wrote: > When running multiple instances of QEMU from the same image file > (using -snapshot) and connecting each instance to a dedicated TAP > device, the Guest OS will most likely not be able to communicate with > the outside world as all packets leave the Guest OS from the same IP > and thus the Host OS will have difficulty returning the packets to the > correct TAP device/Guest OS. Stateless Static Network Address > Translation or SSNAT allows the QEMU to map the network of the Guest > OS to the network of the TAP device allowing a unique IP address for > each Guest OS that ease such case. > The only mandatory argument to the SSNAT is the Guest OS network IP, > the rest will be figured out from the underlying TAP device. > > Signed-off-by: John Basila <jbas...@checkpoint.com> > --- > net/tap.c | 369 > +++++++++++++++++++++++++++++++++++++++++++++++++++++- > qapi-schema.json | 5 +- > qemu-options.hx | 10 ++- > 3 files changed, 381 insertions(+), 3 deletions(-) This does not work with vhost=on because the host<->guest packet processing happens in vhost_net.ko instead of in QEMU. Use iptables on the host to NAT the tap interface. Stefan Scanned by Check Point Total Security Gateway.
