From: Gilles (gilles_at_harfang.homelinux.org)
Date: Sun 26 Sep 2004 - 22:58:59 BST

• Previous message: Bjoern Steinbrink: "Re: [Vserver] Proxy, DMZ"
• In reply to: Bjoern Steinbrink: "Re: [Vserver] Proxy, DMZ"
• Next in thread: Herbert Poetzl: "Re: [Vserver] Proxy, DMZ"
• Reply: Herbert Poetzl: "Re: [Vserver] Proxy, DMZ"
• Reply: Bjoern Steinbrink: "Re: [Vserver] Proxy, DMZ"

> Oops, I mixed up interfaces and aliases. What ifup tries to do is to set
> a default route for packets originating from dummy0 (so that they would
> actually leave through dummy0, for each and every target address). The
> problem is, that dummy0 can't 'directly' reach 192.168.1.10 since this
> address does not belong dummy0's subnet. This will therefore always
> fail.

What can I do so that "ifup" doesn't attempt to do that?

> Because there is no separate routing for the vserver. The routing
> happens inside the (shared) kernel.

Yes, as Herbert told, the strong point/main point of vserver is sharing
resources.

Eventually, it would imply that it is *not* possible the simulate the
behaviour of a physical subnet by a virtual one. Am I right?

> Even if you can't see the interface
> in the vserver, it is still available for routing.

Actually the interfaces *can* be seen from inside the vserver.
Anyway, it would be even more confusing if it were hidden...

> no routing occurs on the local host
> [...]
> Therefore no packets actually leave through dummy0, it's
> either eth0 for outgoing traffic or lo for traffic that's stays on the
> host.

Hence could I simply not bring up dummy0 on the host?
I've just tried it: no connectivity! Why?
So: the interface is needed to have connectivity, yet no packets flows
through it. Strange, isn't it?

Finally, is it completely useless to set up this virtual network, as
opposed to simply give the vservers addresses on the existing 192.168.1.0
network?
In the global (partly virtual, partly physical) network, are all packets
(even those that originate from one vserver and targetted to another
vserver inside the same host) seen by every hosts (even the other physical
machines)? If yes, than it would seem more secure to set up a virtual
subnet, so that traffic between vservers does not leak outside the host.
If not ...

Gilles
_______________________________________________
Vserver mailing list
Vserver_at_list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

• Previous message: Bjoern Steinbrink: "Re: [Vserver] Proxy, DMZ"
• In reply to: Bjoern Steinbrink: "Re: [Vserver] Proxy, DMZ"
• Next in thread: Herbert Poetzl: "Re: [Vserver] Proxy, DMZ"
• Reply: Herbert Poetzl: "Re: [Vserver] Proxy, DMZ"
• Reply: Bjoern Steinbrink: "Re: [Vserver] Proxy, DMZ"