From: Herbert Poetzl (herbert_at_13thfloor.at)
Date: Wed 28 Apr 2004 - 20:22:39 BST
On Wed, Apr 28, 2004 at 05:35:07PM +0000, Liam Helmer wrote:
> On Wed, 2004-04-28 at 16:55, Alex Lyashkov wrote:
> > ? ???, 28.04.2004, ? 19:45, Liam Helmer ?????:
> > > This question came up on the list a week or two ago, and the answer was
> > > that IPtables rules were changing the source address of outgoing
> > > connections. Did you check those to make sure that packets coming from
> > > your vserver addresses aren't being SNAT-ed to something?
> > using ip routing rules not fix all issues.
> > if me have packet exchange with some address from host and try send
> > packet from vps - kernel select source address from routing cache and
> > not use routing tables/rules.
> > If you use SNAT for change address you must add NAT local connections
> > but it not light process for kernel, and I not sure it help.
>
> I wasn't saying he should put any in: I was saying that his problem
> might be that there's a rule there that's changing the address. Also,
> I'm talking about iptables (i.e. netfilter), not ip routing tables.
>
> Actually, you could fix a lot of it with ip routing tables, if you use
> policy routing (from x to y route to z with source a). I was considering
> playing around with this, but it's more complex. This is yet another
> place where having an netfilter_ctx patch would be helpful: for marking
> packets so they correspond to ip routing rules (from context q route to
> z with source a).
hmm, I do not see a problem with implementing a
netfilter for xid (on outgoing packets), if you
(or somebody else) volunteers to do the userspace
part (for netfilter) to configure it ...
this is not an option for incoming packets though
as you cannot determine the target context, until
the receiving socket is found (which is too late
for netfilter stuff ;)
best,
Herbert
> What I'm currently doing is doing SNAT on all vserver packets: that
> gives the most flexibility, with the vservers residing on a private
> internal ip. It also lets me share IPs better for vservers: I can have
> one vserver doing port 80, and one doing port 25 on the same ip, but I
> don't have to worry about one of them accidentally turning on a service
> and interfering with another one, 'cause they have different private
> IPs. It's not ideal for all setups, but then I'm not doing virtual
> hosting really, so I have differnet needs.
>
> Cheers,
> Liam
>
> >
> >
> > > Cheers,
> > > Liam
> > >
> > > On Wed, 2004-04-28 at 16:12, Alex Lyashkov wrote:
> > > > ? ???, 28.04.2004, ? 18:46, ryanmh_at_comcast.net ?????:
> > > > > Howdy all:
> > > > >
> > > > > Incoming connections from a virtual server I'm running are appearing as if they are coming from the host. For example, on a third server (completely separate from the host/vserver), the httpd access_log shows entries from the host IP, and not the vserver IP, when accesses are coming from an app running in the vserver context.
> > > > >
> > > > > Is this expected behavior? Is there a way I can make vserver connections appears as if they are from the vserver? I saw a similar question in the IRC logs, but the answer appeared to be truncated.
> > > > >
> > > > > Thanks,
> > > > > Ryan
> > > > >
> > > > > p.s. Running vs1.3.8 and alpha util-vserver. The host and the vserver have been assigned different IP addresses on the same subnet.
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > see archive this list.
> > > > Correctly select source address without complete separate routing caches
> > > > and routing tables not possible. and Vserver not have it.
> > > > I report about this bug to list, because freevps have same problem at
> > > > one of old snapshot.
> > >
> > > _______________________________________________
> > > Vserver mailing list
> > > Vserver_at_list.linux-vserver.org
> > > http://list.linux-vserver.org/mailman/listinfo/vserver
>
> _______________________________________________
> Vserver mailing list
> Vserver_at_list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________
Vserver mailing list
Vserver_at_list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver