Hi, in my containers, I'm trying to filter packets using marks set by ebtables on the host, but it seems those marks are not propagated to the containers, and I wonder if there is a way to make it work.
Example: I have a host with several physical NICs (e.g., intranet1, intranet2, wifi, extranet) that are all members of the bridge "mybridge". Containers are configured with one network interface (veth) that also becomes a member of "mybridge". Incoming packets on the host are marked depending on the physical interface they arrived on: ebtables -t nat -A PREROUTING -i intranet1 -j mark --set-mark 0x1 ebtables -t nat -A PREROUTING -i intranet2 -j mark --set-mark 0x1 ebtables -t nat -A PREROUTING -i wifi -j mark --set-mark 0x2 ebtables -t nat -A PREROUTING -i extranet -j mark --set-mark 0x3 Alas, when the packet arrives at the respective container, the mark is gone; I verified this via: iptables -A INPUT -j NFLOG --nflog-group 20 tshark -i nflog:20 -n -V | grep NFULA_MARK Having a way to filter by incoming interface while keeping it simple by only having one virtual NIC would majorly simplify and unify firewalling inside my containers. I suspect the marks not being propagated is a feature of the network namespace, but maybe there's a way around that. Thanks in advance for any ideas... Norman _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
