From: Herbert Poetzl (herbert_at_13thfloor.at)
Date: Sun 06 Jun 2004 - 12:32:07 BST
On Sun, Jun 06, 2004 at 07:58:23PM +0930, Ron wrote:
> I'm enquiring about a post from a few months back:
> > the Linux kernel including 2.4.22 does not masquerade lokal
> > created ip packets (eg. from an vps). in connection with
> > ip4chbind, masquerading of these packetes gets more important if
> > you do not want to assign a public ip to every vserver or run the
> > vservers on additional physical hardware inside the local lan.
> okay, I found that out yesterday as I tested the setup you want to
> use, but I'm not sure if local masquerading (on aliased interfaces)
> will work as expected at all ... guess we have to test ...
> > A patch from Stefan Metzmacher can be found at:
> > http://lists.netfilter.org/pipermail/netfilter-devel/2002-January/006505.html
> will adapt that to the recent kernels, anybody willing to test that
> with several setups?
> I've just rebuilt a new vserver using kernel 2.4.26 + vs1.27 (after
> confirming this box still has trouble with 2.6.6). For the next few
> days I need to tunnel it out via a ppp connection on the same machine
> and, of course, I'm also seeing the problem described above.
> Can anyone recall if Stefan's patch was rejected because it actually caused
> other problems, or (as is often the case) did this just fall though the
> cracks because nobody expressed any interest in following it up?
> If the latter, I can try it on the vserver box I have and let you know
> the results, though I suspect something a little more complex than
> Stefan's patch is what is really required because you surely only want
> to masq packets that aren't already attached to the public interface.
hmm, well, the idea of 'local masquerading'
is a little strange, because there really is
no reason to do local masquerading at all ...
masquerading is a special form of (S)NAT which
'remapps' the source ports dynamically to use
one address for many different hosts/ips
this isn't required for different vservers on
the same host, as they will not bind to the
same source port for an outgoing connection.
> For now SNAT'ing the aliased interface is getting me by, but this seems
> like a FIXME that would be nice to get rid of if we can.
so your setup is fine, if you have configured the
SNAT to substitute your external address for the
local addresses of your vservers
as a matter of fact, that's the way it should be
> Vserver mailing list
Vserver mailing list