The problem here is actually much wider.. I can access any of the venet0 assigned IP address from the container via lo interface.
E.g. if I have another container with an IP address of 1.2.3.4 I can access it through lo interface from this container. 2013/8/20 spameden <[email protected]> > > > > 2013/8/20 Ola Lundqvist <[email protected]> > >> Hi >> >> It all depends on how you have done things. There are a few things >> that is not fully clear that you should probably add in a forum >> question. >> >> You mention that you use both venet and veth devices. It >> is not clear what you use in this situation. >> (To my knowledge only veth makes sense to use with vzbr). >> > > Yes, I'm using both devices. > > I've added veth device to the vzbr201 device with private IP address, e.g. > 192.168.201.2. > > venet0 is used for public internet address, e.g. 1.2.3.4 > >> >> It is also not clear how you add veth to the bridge. >> > > I'm adding it via /etc/vz/vznet.conf: > > #!/bin/bash > EXTERNAL_SCRIPT="/usr/sbin/vznetaddbr" > > >> >> I guess you have read this article: >> http://openvz.org/Virtual_Ethernet_device >> > > Did already. > > >> >> Also it may be so that even though you have added them to >> different bridges, then the bridges may be connected to something >> common. It is not clear from the text below. >> > > How bridges can be connected to the same thing if they are different? > >> >> Hope this helps for your forum question. >> >> Cheers, >> >> // Ola >> >> >> On Tue, Aug 20, 2013 at 12:53:23AM +0400, spameden wrote: >> > Yes, I have forwarding turned on. >> > # sysctl -a 2>/dev/null|grep ip_forward >> > net.ipv4.ip_forward = 1 >> > Surely, I can try to ban this via iptables, but it's so much hassle >> to >> > ban each time. >> > I thought it should "work out out of the box".. >> > Anyways, thanks for your point, I will try to post this on forums. >> > >> > 2013/8/20 Ola Lundqvist <[1][email protected]> >> > >> > Hi >> > This kind of question belong more on the openvz forum >> > [2]http://forum.openvz.org/. >> > Please ask there. >> > However I think it is not worwarded through "lo", instead I guess >> > you >> > have IP forwarding turned on in the kernel and as the kernel gets >> > aware >> > of those datagrams it will forward it to the correct place. To >> > prevent >> > that I guess you have to add some firewalling rules (see iptables). >> > But again, this better belong on the forum, and I may be totally >> > wrong. >> > Cheers, >> > // Ola >> > >> > On Tue, Aug 20, 2013 at 12:04:42AM +0400, spameden wrote: >> > > Hi, list. >> > > I'm sorry for copying 2 lists, but I really want to know what >> I'm >> > doing >> > > wrong. >> > > I'm using Debian 6 Squeeze and OpenVZ CentOS kernel (converted >> > from rpm >> > > to deb). >> > > I'm using veth as well as venet devices for networking. >> > > To isolate multiple containers from each other I'm using vzbrXXX >> > > devices on debian like this: >> > > auto vzbr203 >> > > iface vzbr203 inet static >> > > address 192.168.203.1 >> > > netmask 255.255.255.0 >> > > broadcast 192.168.203.255 >> > > bridge_ports none >> > > bridge_fd 0 >> > > bridge_maxwait 0 >> > > auto vzbr202 >> > > iface vzbr202 inet static >> > > address 192.168.202.1 >> > > netmask 255.255.255.0 >> > > broadcast 192.168.202.255 >> > > bridge_ports none >> > > bridge_fd 0 >> > > bridge_maxwait 0 >> > > The problem I'm facing that in VE (for example with CTID 202) I >> > can >> > > ping or query 192.168.203.1 which is on HN of course, but I >> > thought it >> > > shouldn't be reachable. >> > > Here is route table and ifconfig on CTID 202: >> > > # ip r >> > > default dev lo scope link >> > > # ifconfig -a >> > > lo Link encap:Local Loopback >> > > inet addr:127.0.0.1 Mask:255.0.0.0 >> > > inet6 addr: ::1/128 Scope:Host >> > > UP LOOPBACK RUNNING MTU:16436 Metric:1 >> > > RX packets:84021 errors:0 dropped:0 overruns:0 frame:0 >> > > TX packets:84021 errors:0 dropped:0 overruns:0 >> carrier:0 >> > > collisions:0 txqueuelen:0 >> > > RX bytes:5045068 (4.8 MiB) TX bytes:5045068 (4.8 MiB) >> > > venet0 Link encap:UNSPEC HWaddr >> > > 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 >> > > BROADCAST POINTOPOINT NOARP MTU:1500 Metric:1 >> > > RX packets:0 errors:0 dropped:0 overruns:0 frame:0 >> > > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 >> > > collisions:0 txqueuelen:0 >> > > RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) >> > > So I guess it's going through lo device? Why and how can I block >> > this? >> > > Many thanks. >> > >> > > _______________________________________________ >> > > Debian mailing list >> > > [3][email protected] >> > > [4]https://lists.openvz.org/mailman/listinfo/debian >> > -- >> > --------------------- Ola Lundqvist --------------------------- >> > / [5][email protected] Annebergsslingan 37 >> \ >> > | [6][email protected] 654 65 KARLSTAD >> | >> > | [7]http://inguza.com/ +46 (0)70-332 1551 >> | >> > \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / >> > --------------------------------------------------------------- >> > >> > Referenser >> > >> > 1. mailto:[email protected] >> > 2. http://forum.openvz.org/ >> > 3. mailto:[email protected] >> > 4. https://lists.openvz.org/mailman/listinfo/debian >> > 5. mailto:[email protected] >> > 6. mailto:[email protected] >> > 7. http://inguza.com/ >> >> -- >> --- Inguza Technology AB --- MSc in Information Technology ---- >> / [email protected] Annebergsslingan 37 \ >> | [email protected] 654 65 KARLSTAD | >> | http://inguza.com/ Mobile: +46 (0)70-332 1551 | >> \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / >> --------------------------------------------------------------- >> > >
_______________________________________________ Users mailing list [email protected] https://lists.openvz.org/mailman/listinfo/users
