<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">2013/8/20 Ola Lundqvist <span dir="ltr"><<a href="mailto:ola@inguza.com" target="_blank">ola@inguza.com</a>></span><br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Hi<br>
<br>
It all depends on how you have done things. There are a few things<br>
that is not fully clear that you should probably add in a forum<br>
question.<br>
<br>
You mention that you use both venet and veth devices. It<br>
is not clear what you use in this situation.<br>
(To my knowledge only veth makes sense to use with vzbr).<br></blockquote><div><br></div><div>Yes, I'm using both devices.<br><br></div><div>I've added veth device to the vzbr201 device with private IP address, e.g. 192.168.201.2.<br>
<br></div><div>venet0 is used for public internet address, e.g. 1.2.3.4 <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
It is also not clear how you add veth to the bridge.<br></blockquote><div><br></div><div>I'm adding it via /etc/vz/vznet.conf:<br><br>#!/bin/bash<br>EXTERNAL_SCRIPT="/usr/sbin/vznetaddbr"<br> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
I guess you have read this article:<br>
<a href="http://openvz.org/Virtual_Ethernet_device" target="_blank">http://openvz.org/Virtual_Ethernet_device</a><br></blockquote><div><br></div><div>Did already.<br> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
Also it may be so that even though you have added them to<br>
different bridges, then the bridges may be connected to something<br>
common. It is not clear from the text below.<br></blockquote><div><br></div><div>How bridges can be connected to the same thing if they are different? <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
Hope this helps for your forum question.<br>
<br>
Cheers,<br>
<br>
// Ola<br>
<div class="im"><br>
<br>
On Tue, Aug 20, 2013 at 12:53:23AM +0400, spameden wrote:<br>
> Yes, I have forwarding turned on.<br>
> # sysctl -a 2>/dev/null|grep ip_forward<br>
> net.ipv4.ip_forward = 1<br>
> Surely, I can try to ban this via iptables, but it's so much hassle to<br>
> ban each time.<br>
> I thought it should "work out out of the box"..<br>
> Anyways, thanks for your point, I will try to post this on forums.<br>
><br>
</div>> 2013/8/20 Ola Lundqvist <[1]<a href="mailto:opal@debian.org">opal@debian.org</a>><br>
<div class="im">><br>
> Hi<br>
> This kind of question belong more on the openvz forum<br>
</div>> [2]<a href="http://forum.openvz.org/" target="_blank">http://forum.openvz.org/</a>.<br>
<div><div class="h5">> Please ask there.<br>
> However I think it is not worwarded through "lo", instead I guess<br>
> you<br>
> have IP forwarding turned on in the kernel and as the kernel gets<br>
> aware<br>
> of those datagrams it will forward it to the correct place. To<br>
> prevent<br>
> that I guess you have to add some firewalling rules (see iptables).<br>
> But again, this better belong on the forum, and I may be totally<br>
> wrong.<br>
> Cheers,<br>
> // Ola<br>
><br>
> On Tue, Aug 20, 2013 at 12:04:42AM +0400, spameden wrote:<br>
> > Hi, list.<br>
> > I'm sorry for copying 2 lists, but I really want to know what I'm<br>
> doing<br>
> > wrong.<br>
> > I'm using Debian 6 Squeeze and OpenVZ CentOS kernel (converted<br>
> from rpm<br>
> > to deb).<br>
> > I'm using veth as well as venet devices for networking.<br>
> > To isolate multiple containers from each other I'm using vzbrXXX<br>
> > devices on debian like this:<br>
> > auto vzbr203<br>
> > iface vzbr203 inet static<br>
> > address 192.168.203.1<br>
> > netmask 255.255.255.0<br>
> > broadcast 192.168.203.255<br>
> > bridge_ports none<br>
> > bridge_fd 0<br>
> > bridge_maxwait 0<br>
> > auto vzbr202<br>
> > iface vzbr202 inet static<br>
> > address 192.168.202.1<br>
> > netmask 255.255.255.0<br>
> > broadcast 192.168.202.255<br>
> > bridge_ports none<br>
> > bridge_fd 0<br>
> > bridge_maxwait 0<br>
> > The problem I'm facing that in VE (for example with CTID 202) I<br>
> can<br>
> > ping or query 192.168.203.1 which is on HN of course, but I<br>
> thought it<br>
> > shouldn't be reachable.<br>
> > Here is route table and ifconfig on CTID 202:<br>
> > # ip r<br>
> > default dev lo scope link<br>
> > # ifconfig -a<br>
> > lo Link encap:Local Loopback<br>
> > inet addr:127.0.0.1 Mask:255.0.0.0<br>
> > inet6 addr: ::1/128 Scope:Host<br>
> > UP LOOPBACK RUNNING MTU:16436 Metric:1<br>
> > RX packets:84021 errors:0 dropped:0 overruns:0 frame:0<br>
> > TX packets:84021 errors:0 dropped:0 overruns:0 carrier:0<br>
> > collisions:0 txqueuelen:0<br>
> > RX bytes:5045068 (4.8 MiB) TX bytes:5045068 (4.8 MiB)<br>
> > venet0 Link encap:UNSPEC HWaddr<br>
> > 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00<br>
> > BROADCAST POINTOPOINT NOARP MTU:1500 Metric:1<br>
> > RX packets:0 errors:0 dropped:0 overruns:0 frame:0<br>
> > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0<br>
> > collisions:0 txqueuelen:0<br>
> > RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)<br>
> > So I guess it's going through lo device? Why and how can I block<br>
> this?<br>
> > Many thanks.<br>
><br>
> > _______________________________________________<br>
> > Debian mailing list<br>
</div></div>> > [3]<a href="mailto:Debian@openvz.org">Debian@openvz.org</a><br>
> > [4]<a href="https://lists.openvz.org/mailman/listinfo/debian" target="_blank">https://lists.openvz.org/mailman/listinfo/debian</a><br>
<div class="im">> --<br>
> --------------------- Ola Lundqvist ---------------------------<br>
</div>> / [5]<a href="mailto:opal@debian.org">opal@debian.org</a> Annebergsslingan 37 \<br>
> | [6]<a href="mailto:ola@inguza.com">ola@inguza.com</a> 654 65 KARLSTAD |<br>
> | [7]<a href="http://inguza.com/" target="_blank">http://inguza.com/</a> +46 (0)70-332 1551 |<br>
<div class="im">> \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /<br>
> ---------------------------------------------------------------<br>
><br>
</div>> Referenser<br>
><br>
> 1. mailto:<a href="mailto:opal@debian.org">opal@debian.org</a><br>
> 2. <a href="http://forum.openvz.org/" target="_blank">http://forum.openvz.org/</a><br>
> 3. mailto:<a href="mailto:Debian@openvz.org">Debian@openvz.org</a><br>
> 4. <a href="https://lists.openvz.org/mailman/listinfo/debian" target="_blank">https://lists.openvz.org/mailman/listinfo/debian</a><br>
> 5. mailto:<a href="mailto:opal@debian.org">opal@debian.org</a><br>
> 6. mailto:<a href="mailto:ola@inguza.com">ola@inguza.com</a><br>
> 7. <a href="http://inguza.com/" target="_blank">http://inguza.com/</a><br>
<span class=""><font color="#888888"><br>
--<br>
--- Inguza Technology AB --- MSc in Information Technology ----<br>
/ <a href="mailto:ola@inguza.com">ola@inguza.com</a> Annebergsslingan 37 \<br>
| <a href="mailto:opal@debian.org">opal@debian.org</a> 654 65 KARLSTAD |<br>
| <a href="http://inguza.com/" target="_blank">http://inguza.com/</a> Mobile: +46 (0)70-332 1551 |<br>
</font></span><div class=""><div class="h5">\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /<br>
---------------------------------------------------------------<br>
</div></div></blockquote></div><br></div></div>