Lennart Poettering <lenn...@poettering.net> schrieb: > On Mon, 27.04.15 20:17, Kai Krakow (hurikha...@gmail.com) wrote: > >> Tomasz Torcz <to...@pipebreaker.pl> schrieb: >> >> >> Well, would that enable automatic, correcting routing between the >> >> container and the host's external network? That's kinda what this all >> >> is about... >> > >> > If you have radvd running, it should. By the way, speaking of NAT >> > in context of IPv6 is a heresy. >> >> Why? It's purpose here is not saving some addresses (we have many in >> IPv6), it's purpose is to have security and containment. The services >> provided by the container - at least in my project - are meant to be seen >> as a service of the host (as Lennart pointed out as a possible >> application in another post). I don't want the containers being >> addressable/routable from outside in. And putting a firewall in place to >> counterfeit this is just security by obscurity: Have one configuration >> problem and your firewall is gone and the container publicly available. >> >> The whole story would be different if I'd setup port forwarding >> afterwards to make services from the containers available - but that >> won't be the case. > > Sidenote: systemd-nspawn already covers that for ipv4: use the --port= > switch (or -p).
Yes, I know... And I will certainly find a use-case for that. :-) But the general design of my project is to put containers behind a reverse proxy like nginx or varnish, setup some caching and waf rules, and dynamically point incoming web requests to the right container servicing the right environment. :-) I will probably pull performance data through such a port forwarding. But for now the testbed is only my desktop system, some months will pass before deploying this on a broader basis, it will certainly not start with IPv6 support (but it will be kept in mind), and I still have a lot of ideas to try out. I even won't need to have IPv6 pass into the host from external networks because a proxy will sit inbetween. But it would be nice if containers could use IPv6 from inside without having to worry about packets could pass in through a public routing rule. I don't like pulling up a firewall before everything is settled, tested, and secured. A firewall is only the last resort barrier. The same holds true for stuff like fail2ban or denyhosts. For the time being, I should simply turn off IPv6 inside the container. However, I didn't figure out how to prevent systemd-network inside the container from doing that. -- Replies to list only preferred. _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
