[lxc-users] per user iptables set failed on unprivileged LXC container
Fajar A. Nugraha
list at fajar.net
Mon Mar 23 08:50:14 UTC 2015
On Sun, Mar 22, 2015 at 7:17 PM, tom <zs68j2ee at gmail.com> wrote:
> when create unprivileged LXC container as non root user, execute iptables
> below failed.
>
>
> iptables -A OUTPUT -o ethX -m owner --uid-owner ubuntu -j REJECT
>
>
> It seems iptables with "-m owner --uid-owner {USERNAME} " only can be
> executed on privileged LXC container create by root on host.
>
>
> Not sure if it's related to LXC container, or iptables self.
A google search for "xt_owner user namespace" returns this:
http://markmail.org/message/2k3y7g3sxr5rpefn (read also the previous
messages in that thread), and xt_owner.c from kernel 3.19
http://lxr.free-electrons.com/source/net/netfilter/xt_owner.c
Short summary: xt_owner still does not work in user namespaces, and
your best bet would be to ask in netfilter list whether there will be
any improvement in linux 4.x.
--
Fajar
More information about the lxc-users
mailing list