On Wed, Mar 11, 2015 at 7:22 PM, Fajar A. Nugraha <[email protected]> wrote: > On Wed, Mar 11, 2015 at 7:02 PM, Fiedler Roman <[email protected]> > wrote: >> This should be exactly the configuration I have tested so far. But that did >> not yet solve my problem ... >> >> * If some process in guest registers for the same NFLOG queue, he can "steal" >> the messages from the host queue, thus removing traces of his activity from >> host logging. SECURITY-ASPECT: apart from log corruption, the guest can get >> knowledge about any other connection to/from other containers and the host >> and >> as they include sequence numbers, may be able to inject spoofed data into >> any >> other unencrypted TCP connection or at least interrupt the connection using >> another helper machine. > > No. What makes you believe that? > > Host and containers does not share iptables rules. Their entire > network stack is separated thru network namespace. There's no such > thing as "stealing the message".
To further clarify: The default lxc networking setup (veth with bridge) MAY allow a container to snoop/hijack traffic to/from other containers. This is similar to how a computers on the same LAN, connected to a dumb switch, can potentially snoop/hijack traffic to/from other computers. This is ethernet bridge issue, not iptables issue, nor lxc issue. To prevent that issue, there are some options you can do. One option is to create a separate bridge for each container. The other option would be to use my alternative setup which I linked to earlier, which does NOT use bridge. -- Fajar _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
