<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">2013/8/20 Ola Lundqvist <span dir="ltr"><<a href="mailto:ola@inguza.com" target="_blank">ola@inguza.com</a>></span><br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Could be so. I do not know the answer. <a href="mailto:users@openvz.org">users@openvz.org</a><br>
or the forum may know.<br></blockquote><div><br></div><div><a href="mailto:users@openvz.org">users@openvz.org</a> is already copied here.<br> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
However if you have two interfaces I actually think your<br>
messages go through the venet interface. I may be wrong<br>
however.<br></blockquote><div><br></div><div>I've tested through lo device in VE without any additional veth devices or venet IP addresses.<br><br></div><div>But I guess lo is going through venet0 as well in VE?<br> <br>
</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
I mean to 202 192.168.203.* is in another network and<br>
would be routed to the venet if. And the other way around.<br>
As you have ip_forwarding enabled it would then route it<br>
to the other network.<br>
<br>
Network isolation on the same machine can be tricky.<br>
<br>
In any case, you may find better answers on the forum.<br>
<br>
Also you probabably need to use wireshark or tcpdump to<br>
find out what actually happens. :-)<br></blockquote><div><br></div><div>Thanks for the tip.<br><br></div><div>Actually its bit weird what I'm getting through lo device:<br><br># ip r<br>default dev lo scope link <br>
<br># ping 1.2.3.4<br>PING 1.2.3.4 (1.2.3.4) 56(84) bytes of data.<br>64 bytes from <a href="http://1.2.3.4">1.2.3.4</a>: icmp_req=1 ttl=64 time=0.036 ms<br>64 bytes from <a href="http://1.2.3.4">1.2.3.4</a>: icmp_req=2 ttl=64 time=0.027 ms<br>
^C<br>--- 1.2.3.4 ping statistics ---<br>2 packets transmitted, 2 received, 0% packet loss, time 999ms<br>rtt min/avg/max/mdev = 0.027/0.031/0.036/0.007 ms<br><br># ping 3.3.3.3<br>PING 3.3.3.3 (3.3.3.3) 56(84) bytes of data.<br>
64 bytes from <a href="http://3.3.3.3">3.3.3.3</a>: icmp_req=1 ttl=64 time=0.037 ms<br>^C<br>--- 3.3.3.3 ping statistics ---<br>1 packets transmitted, 1 received, 0% packet loss, time 0ms<br>rtt min/avg/max/mdev = 0.037/0.037/0.037/0.000 ms<br>
<br></div><div>It means if I ping _ANY_ IP through lo device it gives me answer back? why?<br></div><div> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
// Ola<br>
<div class="im"><br>
On Tue, Aug 20, 2013 at 01:23:29AM +0400, spameden wrote:<br>
> The problem here is actually much wider..<br>
> I can access any of the venet0 assigned IP address from the container<br>
> via lo interface.<br>
> E.g. if I have another container with an IP address of 1.2.3.4 I can<br>
> access it through lo interface from this container.<br>
><br>
</div>> 2013/8/20 spameden <[1]<a href="mailto:spameden@gmail.com">spameden@gmail.com</a>><br>
><br>
> 2013/8/20 Ola Lundqvist <[2]<a href="mailto:ola@inguza.com">ola@inguza.com</a>><br>
<div class="im">><br>
> Hi<br>
> It all depends on how you have done things. There are a few things<br>
> that is not fully clear that you should probably add in a forum<br>
> question.<br>
> You mention that you use both venet and veth devices. It<br>
> is not clear what you use in this situation.<br>
> (To my knowledge only veth makes sense to use with vzbr).<br>
><br>
> Yes, I'm using both devices.<br>
> I've added veth device to the vzbr201 device with private IP address,<br>
> e.g. 192.168.201.2.<br>
> venet0 is used for public internet address, e.g. 1.2.3.4<br>
><br>
> It is also not clear how you add veth to the bridge.<br>
><br>
> I'm adding it via /etc/vz/vznet.conf:<br>
> #!/bin/bash<br>
> EXTERNAL_SCRIPT="/usr/sbin/vznetaddbr"<br>
><br>
> I guess you have read this article:<br>
</div>> [3]<a href="http://openvz.org/Virtual_Ethernet_device" target="_blank">http://openvz.org/Virtual_Ethernet_device</a><br>
<div class="im">><br>
> Did already.<br>
><br>
> Also it may be so that even though you have added them to<br>
> different bridges, then the bridges may be connected to something<br>
> common. It is not clear from the text below.<br>
><br>
> How bridges can be connected to the same thing if they are different?<br>
><br>
> Hope this helps for your forum question.<br>
> Cheers,<br>
> // Ola<br>
><br>
> On Tue, Aug 20, 2013 at 12:53:23AM +0400, spameden wrote:<br>
> > Yes, I have forwarding turned on.<br>
> > # sysctl -a 2>/dev/null|grep ip_forward<br>
> > net.ipv4.ip_forward = 1<br>
> > Surely, I can try to ban this via iptables, but it's so much<br>
> hassle to<br>
> > ban each time.<br>
> > I thought it should "work out out of the box"..<br>
> > Anyways, thanks for your point, I will try to post this on forums.<br>
> ><br>
><br>
</div>> > 2013/8/20 Ola Lundqvist <[1][4]<a href="mailto:opal@debian.org">opal@debian.org</a>><br>
<div class="im">><br>
> ><br>
> > Hi<br>
> > This kind of question belong more on the openvz forum<br>
><br>
</div>> > [2][5]<a href="http://forum.openvz.org/" target="_blank">http://forum.openvz.org/</a>.<br>
<div><div class="h5">><br>
> > Please ask there.<br>
> > However I think it is not worwarded through "lo", instead I<br>
> guess<br>
> > you<br>
> > have IP forwarding turned on in the kernel and as the kernel<br>
> gets<br>
> > aware<br>
> > of those datagrams it will forward it to the correct place. To<br>
> > prevent<br>
> > that I guess you have to add some firewalling rules (see<br>
> iptables).<br>
> > But again, this better belong on the forum, and I may be totally<br>
> > wrong.<br>
> > Cheers,<br>
> > // Ola<br>
> ><br>
> > On Tue, Aug 20, 2013 at 12:04:42AM +0400, spameden wrote:<br>
> > > Hi, list.<br>
> > > I'm sorry for copying 2 lists, but I really want to know what<br>
> I'm<br>
> > doing<br>
> > > wrong.<br>
> > > I'm using Debian 6 Squeeze and OpenVZ CentOS kernel<br>
> (converted<br>
> > from rpm<br>
> > > to deb).<br>
> > > I'm using veth as well as venet devices for networking.<br>
> > > To isolate multiple containers from each other I'm using<br>
> vzbrXXX<br>
> > > devices on debian like this:<br>
> > > auto vzbr203<br>
> > > iface vzbr203 inet static<br>
> > > address 192.168.203.1<br>
> > > netmask 255.255.255.0<br>
> > > broadcast 192.168.203.255<br>
> > > bridge_ports none<br>
> > > bridge_fd 0<br>
> > > bridge_maxwait 0<br>
> > > auto vzbr202<br>
> > > iface vzbr202 inet static<br>
> > > address 192.168.202.1<br>
> > > netmask 255.255.255.0<br>
> > > broadcast 192.168.202.255<br>
> > > bridge_ports none<br>
> > > bridge_fd 0<br>
> > > bridge_maxwait 0<br>
> > > The problem I'm facing that in VE (for example with CTID 202)<br>
> I<br>
> > can<br>
> > > ping or query 192.168.203.1 which is on HN of course, but I<br>
> > thought it<br>
> > > shouldn't be reachable.<br>
> > > Here is route table and ifconfig on CTID 202:<br>
> > > # ip r<br>
> > > default dev lo scope link<br>
> > > # ifconfig -a<br>
> > > lo Link encap:Local Loopback<br>
> > > inet addr:127.0.0.1 Mask:255.0.0.0<br>
> > > inet6 addr: ::1/128 Scope:Host<br>
> > > UP LOOPBACK RUNNING MTU:16436 Metric:1<br>
> > > RX packets:84021 errors:0 dropped:0 overruns:0<br>
> frame:0<br>
> > > TX packets:84021 errors:0 dropped:0 overruns:0<br>
> carrier:0<br>
> > > collisions:0 txqueuelen:0<br>
> > > RX bytes:5045068 (4.8 MiB) TX bytes:5045068 (4.8<br>
> MiB)<br>
> > > venet0 Link encap:UNSPEC HWaddr<br>
> > > 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00<br>
> > > BROADCAST POINTOPOINT NOARP MTU:1500 Metric:1<br>
> > > RX packets:0 errors:0 dropped:0 overruns:0 frame:0<br>
> > > TX packets:0 errors:0 dropped:0 overruns:0<br>
> carrier:0<br>
> > > collisions:0 txqueuelen:0<br>
> > > RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)<br>
> > > So I guess it's going through lo device? Why and how can I<br>
> block<br>
> > this?<br>
> > > Many thanks.<br>
> ><br>
> > > _______________________________________________<br>
> > > Debian mailing list<br>
><br>
</div></div>> > > [3][6]<a href="mailto:Debian@openvz.org">Debian@openvz.org</a><br>
> > > [4][7]<a href="https://lists.openvz.org/mailman/listinfo/debian" target="_blank">https://lists.openvz.org/mailman/listinfo/debian</a><br>
<div class="im">><br>
> > --<br>
> > --------------------- Ola Lundqvist ---------------------------<br>
><br>
</div>> > / [5][8]<a href="mailto:opal@debian.org">opal@debian.org</a> Annebergsslingan<br>
> 37 \<br>
> > | [6][9]<a href="mailto:ola@inguza.com">ola@inguza.com</a> 654 65 KARLSTAD<br>
> |<br>
> > | [7][10]<a href="http://inguza.com/" target="_blank">http://inguza.com/</a> +46 (0)70-332<br>
<div class="im">> 1551 |<br>
><br>
> > \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9<br>
> /<br>
> > ---------------------------------------------------------------<br>
> ><br>
><br>
> > Referenser<br>
> ><br>
</div>> > 1. mailto:[11]<a href="mailto:opal@debian.org">opal@debian.org</a><br>
> > 2. [12]<a href="http://forum.openvz.org/" target="_blank">http://forum.openvz.org/</a><br>
> > 3. mailto:[13]<a href="mailto:Debian@openvz.org">Debian@openvz.org</a><br>
> > 4. [14]<a href="https://lists.openvz.org/mailman/listinfo/debian" target="_blank">https://lists.openvz.org/mailman/listinfo/debian</a><br>
> > 5. mailto:[15]<a href="mailto:opal@debian.org">opal@debian.org</a><br>
> > 6. mailto:[16]<a href="mailto:ola@inguza.com">ola@inguza.com</a><br>
> > 7. [17]<a href="http://inguza.com/" target="_blank">http://inguza.com/</a><br>
<div class="im">> --<br>
> --- Inguza Technology AB --- MSc in Information Technology ----<br>
</div>> / [18]<a href="mailto:ola@inguza.com">ola@inguza.com</a> Annebergsslingan 37<br>
> \<br>
> | [19]<a href="mailto:opal@debian.org">opal@debian.org</a> 654 65 KARLSTAD<br>
> |<br>
> | [20]<a href="http://inguza.com/" target="_blank">http://inguza.com/</a> Mobile: +46 (0)70-332 1551<br>
<div class="im">> |<br>
><br>
> \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /<br>
> ---------------------------------------------------------------<br>
><br>
</div>> Referenser<br>
><br>
> 1. mailto:<a href="mailto:spameden@gmail.com">spameden@gmail.com</a><br>
> 2. mailto:<a href="mailto:ola@inguza.com">ola@inguza.com</a><br>
> 3. <a href="http://openvz.org/Virtual_Ethernet_device" target="_blank">http://openvz.org/Virtual_Ethernet_device</a><br>
> 4. mailto:<a href="mailto:opal@debian.org">opal@debian.org</a><br>
> 5. <a href="http://forum.openvz.org/" target="_blank">http://forum.openvz.org/</a><br>
> 6. mailto:<a href="mailto:Debian@openvz.org">Debian@openvz.org</a><br>
> 7. <a href="https://lists.openvz.org/mailman/listinfo/debian" target="_blank">https://lists.openvz.org/mailman/listinfo/debian</a><br>
> 8. mailto:<a href="mailto:opal@debian.org">opal@debian.org</a><br>
> 9. mailto:<a href="mailto:ola@inguza.com">ola@inguza.com</a><br>
> 10. <a href="http://inguza.com/" target="_blank">http://inguza.com/</a><br>
> 11. mailto:<a href="mailto:opal@debian.org">opal@debian.org</a><br>
> 12. <a href="http://forum.openvz.org/" target="_blank">http://forum.openvz.org/</a><br>
> 13. mailto:<a href="mailto:Debian@openvz.org">Debian@openvz.org</a><br>
> 14. <a href="https://lists.openvz.org/mailman/listinfo/debian" target="_blank">https://lists.openvz.org/mailman/listinfo/debian</a><br>
> 15. mailto:<a href="mailto:opal@debian.org">opal@debian.org</a><br>
> 16. mailto:<a href="mailto:ola@inguza.com">ola@inguza.com</a><br>
> 17. <a href="http://inguza.com/" target="_blank">http://inguza.com/</a><br>
> 18. mailto:<a href="mailto:ola@inguza.com">ola@inguza.com</a><br>
> 19. mailto:<a href="mailto:opal@debian.org">opal@debian.org</a><br>
> 20. <a href="http://inguza.com/" target="_blank">http://inguza.com/</a><br>
<div class=""><div class="h5"><br>
--<br>
--- Inguza Technology AB --- MSc in Information Technology ----<br>
/ <a href="mailto:ola@inguza.com">ola@inguza.com</a> Annebergsslingan 37 \<br>
| <a href="mailto:opal@debian.org">opal@debian.org</a> 654 65 KARLSTAD |<br>
| <a href="http://inguza.com/" target="_blank">http://inguza.com/</a> Mobile: +46 (0)70-332 1551 |<br>
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /<br>
---------------------------------------------------------------<br>
</div></div></blockquote></div><br></div></div>