[lxc-users] Filtering packages MARKed on host
Michael Evans
mjevans1983 at gmail.com
Wed Aug 27 20:33:40 UTC 2014
It's my understanding that the model is passing the packets back down to a
virtual switch (an emulated switch within the kernel) and then back up a
networking stack within the container's view.
Therefore you need to investigate solutions that would work across a real
network as well. Have you considered looking in to v-lan tagging?
On Tue, Aug 26, 2014 at 6:18 AM, Norman Meilick <lxc-users at ml.irq0.de>
wrote:
> Hi,
>
> in my containers, I'm trying to filter packets using marks set by ebtables
> on the host, but it seems those marks are not propagated to the
> containers, and I wonder if there is a way to make it work.
>
> Example:
> I have a host with several physical NICs (e.g., intranet1, intranet2, wifi,
> extranet) that are all members of the bridge "mybridge".
>
> Containers are configured with one network interface (veth) that also
> becomes a member of "mybridge".
>
> Incoming packets on the host are marked depending on the physical
> interface they arrived on:
>
> ebtables -t nat -A PREROUTING -i intranet1 -j mark --set-mark 0x1
> ebtables -t nat -A PREROUTING -i intranet2 -j mark --set-mark 0x1
> ebtables -t nat -A PREROUTING -i wifi -j mark --set-mark 0x2
> ebtables -t nat -A PREROUTING -i extranet -j mark --set-mark 0x3
>
> Alas, when the packet arrives at the respective container, the
> mark is gone; I verified this via:
>
> iptables -A INPUT -j NFLOG --nflog-group 20
> tshark -i nflog:20 -n -V | grep NFULA_MARK
>
> Having a way to filter by incoming interface while keeping it
> simple by only having one virtual NIC would majorly simplify
> and unify firewalling inside my containers.
>
> I suspect the marks not being propagated is a feature of the
> network namespace, but maybe there's a way around that.
>
> Thanks in advance for any ideas...
> Norman
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20140827/51b53994/attachment.html>
More information about the lxc-users
mailing list