On Sat, Oct 21, 2006 at 02:38:05PM +0200, Baltasar Cevc wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Hi Marc,
> On 20.10.2006, at 21:42, Marc Kalberer wrote:
> >I get crazy on one prob.
> >I'm migrating a "normal" server inside a vserver
> >I setup a postgres(7.4) server inside a vserver so it listen to the
> >vserver-ip interface (10.0.0.151)
> >When I connect using
> >psql -h(vserverip) -Ublablabla (policy password)
> >I got a
> >IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00
input interface, but no output interface, that means
the INPUT chain did block this packet, check it with
'iptables -t filter -L INPUT' and look for rules
dealing with 'lo'
> >SRC=10.0.0.151 DST=10.0.0.151 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF
> >PROTO=TCP SPT=5432 DPT=54937 WINDOW=32767 RES=0x00 ACK SYN URGP=0
> >Which is pretty strange since
> >- my firewall rules allow all connection from port 5432.
> I'd double-check the rules. Please note that you have lo traffic with
> non-lo IP addresses (as far as I can tell that's normally not the case
> without vserver). As far as I know the packets would have been from
> and to eth0 for example without the patched kernel.
nope, wrong, the packets would look exactly the same
without the vserver patch, local traffic is always
'local' and thus uses the loopback (lo) device
what would have been different (on the host or with
an unpatched kernel) is, that the command would have
chosen 127.0.0.1 instead (given that this is available
and assigned to lo, which is usually the case)
> Vserver should not change anything with Netfilter, except for the
> fact that you have to set up the rules on the host and that the
> interface names may change.
it doesn't change anything there. period.
> ((( Baltasar Cevc
> ) World wide web:
> * http://www.openairkino.net/ (a project for the local youth; German
> * http://technik.juz-kirchheim.de/ (programming and admin projects)
> * http://baltasar.cevc-topp.de/ (private homepage)
> ) Phone:
> +49 176 232 20 822
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (Darwin)
> -----END PGP SIGNATURE-----
> Vserver mailing list
Vserver mailing list
Received on Sun Oct 22 02:59:09 2006