[lxc-users] firewall per sandbox

[Vijay Viswanathan]

I tried net_cls but after creating a classid I couldnt proceed further with
iptables ( I dont have tc in my target, so Iam telling iptables to filter
for me. )

# echo 0x100001 > /sys/fs/cgroup/net_cls/0/net_cls.classid
# cat /sys/fs/cgroup/net_cls/0/net_cls.classid
1048577

# iptables -t filter  -A OUTPUT -m cgroup ! --cgroup 0x100001 -j DROP
iptables: No chain/target/match by that name.

# iptables -A OUTPUT -m cgroup ! --cgroup 0x100001 -j DROP
iptables: No chain/target/match by that name.


Thanks.




On Wed, Jun 4, 2014 at 2:19 PM, Stéphane Graber <stgraber at ubuntu.com> wrote:

> On Wed, Jun 04, 2014 at 02:14:30PM -0700, Vijay Viswanathan wrote:
> > Hi,
> > What is the best way to implement a firewall in a container ?
> > Currently, Iam thinking of associating an interface ( lets say veth21)
> to a
> > container and apply iptable rules on that interface.
> > veth21 will be bridged to host interface.
>
> You can indeed do that, or just do iptables in the container or if you
> have the net_cls cgroup enabled in your kernel, set net_cls.classid so
> that all packets coming from processes running in the container are
> automatically tagged for processing in netfilter (see
> https://www.kernel.org/doc/Documentation/cgroups/net_cls.txt).
>
> >
> > This way I can filter traffic going in/out host network.
> >
> > Please comment.
> >
> > Thx.
>
> > _______________________________________________
> > lxc-users mailing list
> > lxc-users at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-users
>
>
> --
> Stéphane Graber
> Ubuntu developer
> http://www.ubuntu.com
>
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20140605/55bf664e/attachment.html>