Luis Michael Ibarra
> On Sep 29, 2017, at 10:42, Björn Fischer <b...@cebitec.uni-bielefeld.de> > wrote: > > Hi, > >> # lxc | egrep 'shell|exec' >> exec Execute commands in containers >> >> 'shell' is not even in the lxc command line help yet :) >> Thanks for letting me know that command exists. > > I found that via bash autocompletion "lxc [TAB][TAB]" ;-) > >> My GUESS is that iptables treat container traffic as separate host, due >> to being in separate network namespace. So the host has no idea what PID >> the ping traffic is from. > > That was my first thought, too. But the network name space should be > listed with "ip netns list", should it not? > The output of "ip netns list" is empty on my host. > You need to add each container network namespace to /var/run/netns, so it can be managed by the ip command. >> The host only knows that the traffic comes from a veth* interface, which >> is attached to lxdbr0, and then it needs to FORWARD it to eth0 (or >> whatever your host's public interfaces is). So this should work >> >> iptables -I FORWARD -s 10.0.160.33 -p ICMP -j DROP >> >> OUTPUT and INPUT won't work, FORWARD does. Of course, cgroups won't wont >> with FORWARD, so you need to find a criteria (e.g. source IP) that does. > > I am not using lxdbr0, but a setup based on macvlan (as you can see in > the transcript). Macvlan fits perfectly for our use case here. I just > need to be sure that our "customers" cannot do any harm by changing > the IP addresses inside the containers. So basically, I'm trying to > replicate the port-security lxdbr0 feature for macvlan. > > > Thank you for your suggestions. > > Björn Fischer > > _______________________________________________ > lxc-users mailing list > lxc-users@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-users _______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
