[Users] How to allow a container to send "spoofed" IP packets? (for VPN tunnels without NAT)

Michael H. Warfield mhw at WittsEnd.com
Fri Mar 5 13:45:07 EST 2010 

On Fri, 2010-03-05 at 18:17 +0000, Nils Toedtmann wrote: 
> On 05/03/10 16:20, Michael H. Warfield wrote:
> > On Fri, 2010-03-05 at 15:33 +0000, Nils Toedtmann wrote: 
> [...]
> >> The problem seems to be that OpenVZ does not allow containers to "spoof"
> >> packets, that is sending IP packets with source IP addresses other than
> >> the container's IP addresses. When i capture within the OpenVPN
> >> container, i can clearly see packets (having arrived through the tunnel)
> >> leaving the OpenVPN container via venet0, but i can't see them when i
> >> sniff venet0 from the hardware node.
> >> 
> >> I tried granting capabilities net_admin and net_raw to the OpenVPN
> >> containers, but no luck.
> >> 
> >> How do i allow a container to send IP packets from other IP addresses
> >> than its own - any ideas?
> > 
> > First question I always have to ask.  Are you using the vnet driver or
> > the veth driver?  If the vnet driver, I'm not surprised.  Others may
> > have a way to get it working with the vnet driver but I gave up on it
> > long ago as just too broken on IPv6.  Try the veth driver, which means
> > setting up bridging but may be a private bridge on that host as well, so
> > you can emulate the vnet behavior, if that's your want.

> Thank you Michael!

> After reading http://wiki.openvz.org/Veth i must admit that i use vnet
> (i just followed the usual instructions for OpenVZ on CentOS). Thanks
> for pointing me to veth, looks promising and much closer to the
> networking setup of all other virtualisation techniques i know.

> My problem is that i have a productive environment and i do not want to
> reconfigure the networking for all containers. Can i have a mixed setup,
> using veth for only some of the containers? (i am familiar with
> routing/bridging/proxy_arp etc)

Oh, absolutely, yes.  You can have a mixed environment.

> /nils.

Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://openvz.org/pipermail/users/attachments/20100305/9537b43a/attachment.bin

More information about the Users mailing list