Thanks Herbert,
I will definately keep testing to see if all works as said. If there are
any issues, I will let the list know.
btw, is it normal that the routing table in a guest looks something
like:
the same as the one on the host, except for the default gw? All the
fields for default gw show 0.0.0.0 ?
Regards,
-nik
On Sat, 2006-05-13 at 16:50 +0200, Herbert Poetzl wrote:
> On Sat, May 13, 2006 at 03:45:38PM +0300, Nikolay Kichukov wrote:
> > Good afternoon all.
> >
> > The topic I would like to discuss here is how one is able to setup the
> > host so it does traffic accounting with iptables and traffic shaping
> > and policing with iproute2 for a guest on the host.
> >
> > What brought me to this was a recent posting named "What is the best
> > way to connect from 1 vserver to other vserver within the same host
> > ?" There I learned that the guest connections actually go through
> > the host lo interface?! Which alternatively made me think why do I
> > ever created a file called dev with one of my interfaces there if the
> > traffic from the guest goes through the host loopback device? Can
> > someone please elaborate a bit more on this topic?
>
> well, it's the way the linux (and probably many other)
> network stack works, local traffic is sent via lo,
> remote traffic is sent via some network card/interface
>
> check out this ancient posting for some ideas:
> http://archives.linux-vserver.org/200311/0470.html
>
> > Then, having the following setup:
> > dev=eth0 which is the interface that is connected to the internal LAN
> > ip=localIPaddress of the vserver
> >
> > in this scenario I have an entry in the nat table on the host that
> > allows the guest to use the internet on the $EXTERNALINTERFACE :
> >
> > iptable -t nat -A -s localIPaddress/32 -SNAT --to $EXTERNALIP
> >
> > is there a way I can go without that if I configure the guest with
> > nodev?
>
> dev vs nodev does not change _anything_ regarding
> the way how the routing, nat and networking works
>
> 'dev' means that on guest startup, the 'ip' is
> created on that device, and on guest shutdown the
> same ip is removed again. 'nodev' just means that
> no ip is created at all, and the specified 'ip'
> is considered to exist already ...
>
> > Now about the traffic accounting topic, which are the tables that the
> > packets generated from the guest and going back to the guest traverse
> > to get to the internet on the $EXTERNALINTERNET eth1? If dev contains
> > eth0, that is the internal interface and the other variant with nodev?
>
> there is no 'internal' interface except for lo for
> local traffic, for the 'external' traffic, the routing
> and device setup will decide which ip and interface
> is used ...
>
> > The other point is about traffic shaping and policing. I use tc to do
> > traffic shaping and policing for computers in the LAN and for the host
> > itself. Now if I want to add limits for the guest, can I use eth0 to
> > limit the max allowed outgoing speed? And then the max download speed
> > on eth0? As a summary - will the packets on the guest go through the
> > eth0?
>
> everything, including the traffic accounting and
> network shaping work like on a normal linux system,
> all connection from a guest can be considered like
> the host connections, so all that stuff is identical
> to a linux system without the Linux-Vserver patch
>
> > Maybe that e-mail got too long and difficult to follow.
> > Any help or further questions will be appreaciated...
>
> HTH,
> Herbert
>
> > Thanks and Regards,
> > -Nik
> >
> >
> > --
> > ?????? ??? ????????, ??? ?????.
> > ?? ?????? ??? ?????, ?? ?????? ??? ????????...
> > -????? ?????
> >
> > _______________________________________________
> > Vserver mailing list
> > Vserver@list.linux-vserver.org
> > http://list.linux-vserver.org/mailman/listinfo/vserver
-- Когато сме щастливи, сме добри. Но когато сме добри, не винаги сме щастливи... -Оскар Уайлд _______________________________________________ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserverReceived on Tue May 16 07:13:46 2006