[vserver] Prerouting identification of vserver packets

From: John A. Sullivan III <jsullivan_at_opensourcedevel.com>
Date: Sun 19 Jul 2009 - 05:45:57 BST
Message-Id: <1247978757.6456.24.camel@jaspav.missionsit.net.missionsit.net>

How can one tell iproute2 to distinguish packets from different vservers
before it makes a routing decision? We would like to establish different
routing tables for different vservers but need to do this before the
source address is determined in vservers with multiple interfaces. It
looks like my decision criteria for iproute2 routing rules are:
to
from
iif (incoming interface)
fwmark
tos and dsfield

To illustrate, let's suppose I have a vserver host with eth0 and tun0.
There are several vservers using eth0. Now imagine a vserver which uses
both interfaces, say eth0=10.1.1.10 and tun0=10.2.2.10 with a default
gateway of 10.1.1.1. Now I want packets destined for 10.3.3.0/24 to use
the 10.2.2.10 source address and the tun0 interface. I do not want any
of the other vservers to see the route to 10.3.3.0/24.

I can do:
ip route add 10.3.3.0/24 via 10.2.2.1 src 10.2.2.10 table special
but the challenge is defining a rule which will apply only to this
special vserver to read the special table.

ip rule add to 10.3.3.0/24 table special prio 1000
would be read by all vservers and I might as well put the route in the
main table.
ip rule add iif lo or eth0 would be the same.

ip rule from 10.1.1.10 table special pri 1000
would work but is too late to change the source address since the source
has obviously already been chosen. At least this appears to be the
behavior we observed when we tried this.

I could make 10.2.2.10 the primary address but then I have the reverse
problem for where I want to use 10.1.1.10 or when I introduce a third
interface.

I thought of using fwmark but all that does is transfer the problem of
identifying the traffic from a specific vserver to iptables.

So how does one identify traffic from a specific vserver in either
iptables or iproute2 other than by the source IP address? Thanks - John

-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
Received on Sun Jul 19 05:42:38 2009
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Sun 19 Jul 2009 - 05:42:39 BST by hypermail 2.1.8