<div dir="ltr"><div><div><div><div><div><div>Hi, list.<br><br></div>I'm sorry for copying 2 lists, but I really want to know what I'm doing wrong.<br><br></div>I'm using Debian 6 Squeeze and OpenVZ CentOS kernel (converted from rpm to deb).<br>
<br></div>I'm using veth as well as venet devices for networking.<br><br></div>To isolate multiple containers from each other I'm using vzbrXXX devices on debian like this:<br><br>auto vzbr203<br>iface vzbr203 inet static<br>
address 192.168.203.1<br> netmask 255.255.255.0<br> broadcast 192.168.203.255<br> bridge_ports none<br> bridge_fd 0<br> bridge_maxwait 0<br><br>auto vzbr202<br>iface vzbr202 inet static<br>
address 192.168.202.1<br> netmask 255.255.255.0<br> broadcast 192.168.202.255<br> bridge_ports none<br> bridge_fd 0<br> bridge_maxwait 0<br><br></div>The problem I'm facing that in VE (for example with CTID 202) I can ping or query 192.168.203.1 which is on HN of course, but I thought it shouldn't be reachable.<br>
<br>Here is route table and ifconfig on CTID 202:<br><br># ip r<br>default dev lo scope link <br># ifconfig -a<br>lo Link encap:Local Loopback <br> inet addr:127.0.0.1 Mask:255.0.0.0<br> inet6 addr: ::1/128 Scope:Host<br>
UP LOOPBACK RUNNING MTU:16436 Metric:1<br> RX packets:84021 errors:0 dropped:0 overruns:0 frame:0<br> TX packets:84021 errors:0 dropped:0 overruns:0 carrier:0<br> collisions:0 txqueuelen:0 <br>
RX bytes:5045068 (4.8 MiB) TX bytes:5045068 (4.8 MiB)<br><br>venet0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 <br> BROADCAST POINTOPOINT NOARP MTU:1500 Metric:1<br>
RX packets:0 errors:0 dropped:0 overruns:0 frame:0<br> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0<br> collisions:0 txqueuelen:0 <br> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)<br>
<br><br></div>So I guess it's going through lo device? Why and how can I block this?<br><br>Many thanks.<br></div>