From: Bjoern Steinbrink (bjoern.steinbrink_at_isp4p.net)
Date: Mon 27 Sep 2004 - 01:03:55 BST
On So, 2004-09-26 at 23:58, Gilles wrote:
> > Oops, I mixed up interfaces and aliases. What ifup tries to do is to set
> > a default route for packets originating from dummy0 (so that they would
> > actually leave through dummy0, for each and every target address). The
> > problem is, that dummy0 can't 'directly' reach 192.168.1.10 since this
> > address does not belong dummy0's subnet. This will therefore always
> > fail.
>
> What can I do so that "ifup" doesn't attempt to do that?
remove the gateway part from /etc/network/interfaces
btw: you can have util-vserver setup the interface addresses for you.
>
> > Because there is no separate routing for the vserver. The routing
> > happens inside the (shared) kernel.
>
> Yes, as Herbert told, the strong point/main point of vserver is sharing
> resources.
>
> Eventually, it would imply that it is *not* possible the simulate the
> behaviour of a physical subnet by a virtual one. Am I right?
What about some fw rules? Everything coming from the outside (dev eth0
or whatever) targetting the 'virtual subnet' should be rejected. (If it
reaches the box at all... If the other boxes don't know a route to
192.168.3.0/24 the traffic won't ever reach it).
> > no routing occurs on the local host
> > [...]
> > Therefore no packets actually leave through dummy0, it's
> > either eth0 for outgoing traffic or lo for traffic that's stays on the
> > host.
>
> Hence could I simply not bring up dummy0 on the host?
> I've just tried it: no connectivity! Why?
> So: the interface is needed to have connectivity, yet no packets flows
> through it. Strange, isn't it?
the ip address needs to be available. no dummy0, no ip address, where
should the traffic come from? You need an ip address to bind to to
accept and send packets, the interface is just the 'door' through which
the packets leave the box. Consider dummy0 a closed door, no traffic
will ever pass that door. lo is a room with two doors, traffic goes into
the room, is modified a little and leaves through to other door,
re-entering the local host. And eth0 is the door to the outside, with a
long tunnel and another door the leads to another box.
So there are effectively 2 doors to choose, either have the traffic stay
on the host, or leave it.
> Finally, is it completely useless to set up this virtual network, as
> opposed to simply give the vservers addresses on the existing 192.168.1.0
> network?
I guess it's a matter of the number of fw rules you will need...
> In the global (partly virtual, partly physical) network, are all packets
> (even those that originate from one vserver and targetted to another
> vserver inside the same host) seen by every hosts (even the other physical
> machines)?
no, they leave their socket's outgoing queue, walk into lo, come out of
lo and enter the incoming queue of the target socket.
Again, it doesn't matter on which interface the ip address is setup, the
packets always travel through the interface that leads to the target ip
address, and that's lo in our case. A vServer is in no way a seperate
box.
Bjoern
_______________________________________________
Vserver mailing list
Vserver_at_list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver