On Wed, Apr 18, 2018 at 01:27:19PM +0200, Christoph Pleger wrote:
> Hello,
> On a real host, I have two vservers running with their own
> respective network namespaces, like described on
> http://linux-vserver.org/util-vserver:SplitSharedNetworks.
> On both vservers, I created IP filter rules using nftables/nft.
> But unfortunately, though all "normal" filter rules are working
> as desired, rules that need connection tracking helpers, like
> ftp and tftp, do not - some ip packets are blocked, though they
> should not be blocked. A check an a real machine gave correct
> results.
Network namespaces are a mainline feature (i.e. nothing
Linux-VServer specific) so you should be able to test
them on a 'normal' machine and they should work the same
in a guest (without IP isolation) utilizing network
namespaces.
> So, it is probable that there are some restrictions in using
> connection tracking helpers inside vservers.
As far as I know those are part of the kernel not userspace
so they should not be affected by the user space restrictions
or isolation itself.
> Does anybody here know about such restrictions?
> And is it possible to workaround them, maybe by adding a
> capability to the vserver?
If there are userspace processes involved, you might want
to try to simply give all capabilities to a guest just to
verify, in which case there will be no restrictions compared
to the host.
Hope this helps,
Herbert
> Regards
> Christoph
Received on Wed Apr 18 15:46:51 2018