[Users] How to allow a container to send "spoofed" IP packets?
(for VPN tunnels without NAT)
Michael H. Warfield
mhw at WittsEnd.com
Fri Mar 5 13:45:07 EST 2010
On Fri, 2010-03-05 at 18:17 +0000, Nils Toedtmann wrote:
> On 05/03/10 16:20, Michael H. Warfield wrote:
> > On Fri, 2010-03-05 at 15:33 +0000, Nils Toedtmann wrote:
> [...]
> >> The problem seems to be that OpenVZ does not allow containers to "spoof"
> >> packets, that is sending IP packets with source IP addresses other than
> >> the container's IP addresses. When i capture within the OpenVPN
> >> container, i can clearly see packets (having arrived through the tunnel)
> >> leaving the OpenVPN container via venet0, but i can't see them when i
> >> sniff venet0 from the hardware node.
> >>
> >> I tried granting capabilities net_admin and net_raw to the OpenVPN
> >> containers, but no luck.
> >>
> >> How do i allow a container to send IP packets from other IP addresses
> >> than its own - any ideas?
> >
> > First question I always have to ask. Are you using the vnet driver or
> > the veth driver? If the vnet driver, I'm not surprised. Others may
> > have a way to get it working with the vnet driver but I gave up on it
> > long ago as just too broken on IPv6. Try the veth driver, which means
> > setting up bridging but may be a private bridge on that host as well, so
> > you can emulate the vnet behavior, if that's your want.
> Thank you Michael!
> After reading http://wiki.openvz.org/Veth i must admit that i use vnet
> (i just followed the usual instructions for OpenVZ on CentOS). Thanks
> for pointing me to veth, looks promising and much closer to the
> networking setup of all other virtualisation techniques i know.
> My problem is that i have a productive environment and i do not want to
> reconfigure the networking for all containers. Can i have a mixed setup,
> using veth for only some of the containers? (i am familiar with
> routing/bridging/proxy_arp etc)
Oh, absolutely, yes. You can have a mixed environment.
> /nils.
Mike
--
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://openvz.org/pipermail/users/attachments/20100305/9537b43a/attachment.bin
More information about the Users
mailing list