[lxc-users] Filtering packages MARKed on host
Norman Meilick
lxc-users at ml.irq0.de
Tue Aug 26 13:18:45 UTC 2014
Hi,
in my containers, I'm trying to filter packets using marks set by ebtables
on the host, but it seems those marks are not propagated to the
containers, and I wonder if there is a way to make it work.
Example:
I have a host with several physical NICs (e.g., intranet1, intranet2, wifi,
extranet) that are all members of the bridge "mybridge".
Containers are configured with one network interface (veth) that also
becomes a member of "mybridge".
Incoming packets on the host are marked depending on the physical
interface they arrived on:
ebtables -t nat -A PREROUTING -i intranet1 -j mark --set-mark 0x1
ebtables -t nat -A PREROUTING -i intranet2 -j mark --set-mark 0x1
ebtables -t nat -A PREROUTING -i wifi -j mark --set-mark 0x2
ebtables -t nat -A PREROUTING -i extranet -j mark --set-mark 0x3
Alas, when the packet arrives at the respective container, the
mark is gone; I verified this via:
iptables -A INPUT -j NFLOG --nflog-group 20
tshark -i nflog:20 -n -V | grep NFULA_MARK
Having a way to filter by incoming interface while keeping it
simple by only having one virtual NIC would majorly simplify
and unify firewalling inside my containers.
I suspect the marks not being propagated is a feature of the
network namespace, but maybe there's a way around that.
Thanks in advance for any ideas...
Norman
More information about the lxc-users
mailing list