Skip to content

Instantly share code, notes, and snippets.

@mcastelino
Last active October 19, 2024 15:35
Show Gist options
  • Save mcastelino/7d85f4164ffdaf48242f9281bb1d0f9b to your computer and use it in GitHub Desktop.
Save mcastelino/7d85f4164ffdaf48242f9281bb1d0f9b to your computer and use it in GitHub Desktop.
Using tc redirect to connect a virtual machine to a container network

Connecting a veth device to tap

  • veth device from CNI/CNM plugin: eth0
  • tap device that connects to the VM: tap0

Redirecting traffic between the two devices

tc qdisc add dev eth0 ingress
tc filter add dev eth0 parent ffff: protocol all u32 match u8 0 0 action mirred egress redirect dev tap0
tc qdisc add dev tap0 ingress
tc filter add dev tap0 parent ffff: protocol all u32 match u8 0 0 action mirred egress redirect dev eth0

tc qdisc add dev eth0 ingress

  • Add a queuing discipline
  • on dev eth0
  • attach the ingress qdisc Here the handle defaults to ffff:

tc filter add dev eth0 parent ffff: protocol all u32 match u8 0 0 action mirred egress redirect dev tap0

  • Add a filter
  • to device dev eth0
  • to parent (class) handle to which we are attaching, ffff: i.e. ingress which we created before (there is no need for tc class add in the ingress case as it does not support classful queuing discplines).
  • protocol all
  • classifier u32
  • parameters to the classifier u8 0 0, and the first byte of the packet with 0 and if the result is 0 (which it always will be) (i.e. always true)
  • action mirred egress redirect dev eth0, redirect the packet to egress of dev eth0
@tamalsaha
Copy link

tamalsaha commented Sep 6, 2022

There is a CNI plugin for this https://github.com/awslabs/tc-redirect-tap used with firecracker

@mari0d
Copy link

mari0d commented Oct 7, 2022

@tamalsaha
Copy link

lol indeed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment