[Users] How to allow a container to send "spoofed" IP packets? (for VPN tunnels without NAT)

[Nils Toedtmann]

On 05/03/10 16:20, Michael H. Warfield wrote:
> On Fri, 2010-03-05 at 15:33 +0000, Nils Toedtmann wrote: 
[...]
>> The problem seems to be that OpenVZ does not allow containers to "spoof"
>> packets, that is sending IP packets with source IP addresses other than
>> the container's IP addresses. When i capture within the OpenVPN
>> container, i can clearly see packets (having arrived through the tunnel)
>> leaving the OpenVPN container via venet0, but i can't see them when i
>> sniff venet0 from the hardware node.
>> 
>> I tried granting capabilities net_admin and net_raw to the OpenVPN
>> containers, but no luck.
>> 
>> How do i allow a container to send IP packets from other IP addresses
>> than its own - any ideas?
> 
> First question I always have to ask.  Are you using the vnet driver or
> the veth driver?  If the vnet driver, I'm not surprised.  Others may
> have a way to get it working with the vnet driver but I gave up on it
> long ago as just too broken on IPv6.  Try the veth driver, which means
> setting up bridging but may be a private bridge on that host as well, so
> you can emulate the vnet behavior, if that's your want.


Thank you Michael!

After reading http://wiki.openvz.org/Veth i must admit that i use vnet
(i just followed the usual instructions for OpenVZ on CentOS). Thanks
for pointing me to veth, looks promising and much closer to the
networking setup of all other virtualisation techniques i know.

My problem is that i have a productive environment and i do not want to
reconfigure the networking for all containers. Can i have a mixed setup,
using veth for only some of the containers? (i am familiar with
routing/bridging/proxy_arp etc)

/nils.