From: Herbert Poetzl (herbert_at_13thfloor.at)
Date: Fri 30 Apr 2004 - 00:23:04 BST
On Thu, Apr 29, 2004 at 06:07:22PM +0000, Liam Helmer wrote:
> > hmm, I do not see a problem with implementing a
> > netfilter for xid (on outgoing packets), if you
> > (or somebody else) volunteers to do the userspace
> > part (for netfilter) to configure it ...
> I'm up for it. We'd have to all decide on what people want it to do,
> exactly, but that's cool. Something along the lines of:
> Enforcing routing of outgoing packets to always use the vservers's
> source IP(s)
this is something which will be solved by the next
step when I clean up the network implementation of
vserver (and should already work partially), so I
think this should not require special rules ...
> Enforcing routing so that a vserver will only use certain
> interfaces for routing outgoing packets
this can already be done by using a separate routing
table for each vserver (~250 are available) and
assigning an appropriate rule to map ip ranges to
the right table ...
> Allowing NAT of vserver packets when going out certain interfaces
> Allowing bandwidth control of outgoing vserver bandwidth
and special accounting rules (by traffic classes) would
be good candidates for such a tagging ...
> This would have to play nice with firewall and network code naturally.
> I've implemented something to play nice with gentoo network and
> shorewall, some of which is portable.
> > this is not an option for incoming packets though
> > as you cannot determine the target context, until
> > the receiving socket is found (which is too late
> > for netfilter stuff ;)
> Actually, there is a way of doing this with the netfilter connmark
> extension (newer netfilter patch). What you do is mark the connection
> (not the packet) when the vserver host sends out it's first ack packet:
> you can identify which context it's coming from at that point. So, no,
> you can't identify the actual incoming connection, but you can still
> apply traffic shaping and routing on a per vserver basis that way.
> This would apply to any protocol supported by conntrack: ftp, http,
> voip, etc. So, if you can add context id match support to netfilter, I
> think I should be able to get netfilter to mark the connection, even
> with incoming packets (on hosts that support this).
I'm not convinced that connection tracking is such
a good idear, but I guess we could do something different
for incoming packets: we could add a per network context
flag to limit a context to a certain tag, this way a
netfilter ruleset could decide which packets reach a
vserver and which don't ... without any need for a
> Vserver mailing list
Vserver mailing list