Hello StackOverflow community,
I have a specific scenario I’m trying to implement, and I haven’t found any solution on this forum. I hope you guys may be able to help me.
I currently have a Lubuntu 22.04 host with 2 Network Cards:
First card (ens33) is acting as a management interface (to manage the Host and have access to the internet)
Second card (ens34) is acting as a promiscuous interface (port-mirroring configured on switch to send traffic on that interface).
if I run tcpdump -i ens34 on the host machine, I am able to see the captured packets.
Now my first test was to be able to capture packets inside of an LXD container, so I ran this command:
lxc config device add centos-worker1 eth1 nic name=eth1 nictype=physical parent=ens34
with this, when I ran tcpdump -i eth1 inside of centos-worker1 container, I was once again able to capture packets.
However, as you already know, using nictype=physical makes ens34 interface from the host vanish, and this interface will only be accessible by centos-worker1 container under the name of eth1.
This is where I’m currently stuck, because my second test consists of using ens34 somewhere else. (A virtualbox VM running on the Host machine in parallel to LXD.)
I tried replacing nictype=physical to nictype=macvlan, but when I run tcpdump -i eth1 in container, I am unable to get captured packets.
I tried creating a bridge on the host ip link add ens35 type bridge and linking it to ens34 using ip link set ens34 master ens35 and then pushing a copy of ens35 in centos-worker1 by replacing nictype to bridged for parent=ens35 but tcpdump still has no traffic on eth1 (even though both ens34 and ens35 have traffic on host)
I tried adding firewall rules like ufw allow in on ens35, ufw route allow in on ens35, ufw route allow out in ens35 in case my firewall was blocking traffic. However I still don't see traffic inside of the container. I saw about 70 packets under 168.254.X.X ip address, when I was actually sending 40 000 packets to that interface. So I don’t think these 70 packets were linked in any sort to my 40 000 packets. I think they were just some intercommunication between the bridge probably. On the host however, I was able to view these 40 000 packets with tcpdump.
Is there a way where I can make my LXD container capture packets while at the same time keep my parent interface in my host machine so that I can also use it to capture traffic in parallel?
Thanks a lot for you help on this topic.
I finally figured it out.
In netplan I configured a bridge called br0 with parameters:
I then allowed the bridge to forward traffic via ufw:
I then configured a device on LXD node, using the bridged nictype with parent=br0.
And finally I enabled promisc on the bridge and all interfaces connected to the bridge.