Giovanni Di Stasi wrote:
> Hi everyone,
> I need to recognise packets generated inside a host, so that I can apply some
> iptables rules to them.
>
> I seem to remember that packets generated by a host are marked, so that they
> can be recognised by "-m connmark --mark" of iptables. However I did some
> tests using the nid of the guest as mark, but packets didn't get caught.
>
> Second question: I also need to capture the packets (still generated inside a
> guest) with an "ip rule" rule, in order to route that packets with a
> different routing table. Does the mark apply in this case?
I just use the source address for `ip rule`.
ip rule add from <host> table <special routing table>
I think by default vservers do to have access for promiscuous mode or
ability to bind to raw sockets.
- Adam
Received on Tue Jan 22 16:41:05 2008