AW: [vserver] IPtables, network namespaces

From: Fiedler Roman <Roman.Fiedler_at_ait.ac.at>
Date: Wed 21 Mar 2012 - 13:59:44 GMT
Message-ID: <9F69795E29C890408AC2DAF646C89BB379D161DB67@MAILBOX.arc.local>

Hello Christian,

Full Network stack separation is not possible, but with newer kernel iptables for guest separation are working and I'm using them quite frequently.

Since guest cannot add new rules, all rules are created on host. Rules for guests are in different files so that removal of rules together with guest is easier.

Tell me, if you are interested in (very simple) config examples

Regards,
Roman

> -----Ursprüngliche Nachricht-----
> Von: Christian Balzer [mailto:chibi@gol.com]
> Gesendet: Mittwoch, 21. März 2012 14:30
> An: vserver@list.linux-vserver.org
> Betreff: [vserver] IPtables, network namespaces
>
>
> Hello,
>
> Every once in a while (actually more frequent than that) the need for
> iptables in a guest creeps up. And I'm not just talking about cases where
> people want to use iptables because it's the only hammer they know beat
> packets into submission.
>
> Scouring this ML finds only a few mentions, most of them completely
> outdated and I'm happy that I at least remembered reading about this more
> than 2.5 years ago and coming up with the net namespaces search string as
> well.
>
> I believe any host based iptables (as in some client tool messaging
> something on the host to manipulate a client specific iptable) is
> cumbersome at best and prone to abuse at worst.
> Given the functionality of net namespaces, has anybody in the past 2.5
> years successfully used this with Vservers to set up fully functional
> client network interface? Care to share your knowledge/experiences?
>
> No trace of this in util-vserver for now, AFAIK.
>
> Regards,
>
> Christian
> --
> Christian Balzer Network/Systems Engineer
> chibi@gol.com Global OnLine Japan/Fusion Communications
> http://www.gol.com/
Received on Wed Mar 21 13:59:57 2012

[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Wed 21 Mar 2012 - 13:59:57 GMT by hypermail 2.1.8