-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 22.10.2006, at 03:58, Herbert Poetzl wrote:
>
>>> SRC=10.0.0.151 DST=10.0.0.151 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0
>>> DF
>>> PROTO=TCP SPT=5432 DPT=54937 WINDOW=32767 RES=0x00 ACK SYN URGP=0
>>>
>>> Which is pretty strange since
>>> - my firewall rules allow all connection from port 5432.
>>
>> I'd double-check the rules. Please note that you have lo traffic with
>> non-lo IP addresses (as far as I can tell that's normally not the case
>> without vserver). As far as I know the packets would have been from
>> and to eth0 for example without the patched kernel.
>
> nope, wrong, the packets would look exactly the same
> without the vserver patch, local traffic is always
> 'local' and thus uses the loopback (lo) device
>
> what would have been different (on the host or with
> an unpatched kernel) is, that the command would have
> chosen 127.0.0.1 instead (given that this is available
> and assigned to lo, which is usually the case)
>
>> Vserver should not change anything with Netfilter, except for the
>> fact that you have to set up the rules on the host and that the
>> interface names may change.
>
> it doesn't change anything there. period.
Sorry, I obviously wrote non-sense. I just quickly thought
about it, didn't check my assumptions and and made up wrong
conclusions because of that :-( Shame on me.
Baltasar
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
iD8DBQFFOzlMp2YsmzTbIwYRAquvAJ0QykOfNhgK+CRMWEWWsnh3Wjd+YQCgzH2q
3YP8x0wKjFU4yc0MUt2nI1o=
=GRTb
-----END PGP SIGNATURE-----
_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Received on Sun Oct 22 10:27:42 2006