load iptables from hook --- https://www.pld-linux.org/docs/lxc?rev=1385306308 +++ https://www.pld-linux.org/docs/lxc @@ -115,8 +115,10 @@ - uses ''macvlan'' - that interface is NOT visible on host - you can't filter it from host's firewall - you HAVE to set mac. If not - on every container start you'll have different one (your router will not pass the traffic). + - iptables is initialized from lxc.hook.pre-mount hook (ran in the container's namespace and having macvlan interface visible) + first boot with ''hwaddr'' line disabled, look what the random address was assigned, set it in config. also you may use some generation techniques like these: using last three ip numbers and [[http://xenbits.xen.org/docs/4.3-testing/misc/xl-network-configuration.html|Xen's OUI (00:16:3e)]] address space. If IP is ''192.168.2.160'', then: @@ -133,5 +135,8 @@ lxc.network.macvlan.mode = bridge lxc.network.name = eth0 lxc.network.ipv4 = 192.168.2.160/23 lxc.network.ipv4.gateway = 192.168.2.1 + + lxc.hook.pre-mount = /sbin/service iptables start + lxc.cap.drop = net_admin </file>
Diff URL: https://www.pld-linux.org/docs/lxc?do=diff&r1=1385306308&r2=1386599621 -- This mail was generated by DokuWiki at https://www.pld-linux.org/ _______________________________________________ pld-cvs-commit mailing list [email protected] http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit
