2013/8/20 Ola Lundqvist <[email protected]> > Could be so. I do not know the answer. [email protected] > or the forum may know. >
[email protected] is already copied here. > > However if you have two interfaces I actually think your > messages go through the venet interface. I may be wrong > however. > I've tested through lo device in VE without any additional veth devices or venet IP addresses. But I guess lo is going through venet0 as well in VE? > > I mean to 202 192.168.203.* is in another network and > would be routed to the venet if. And the other way around. > As you have ip_forwarding enabled it would then route it > to the other network. > > Network isolation on the same machine can be tricky. > > In any case, you may find better answers on the forum. > > Also you probabably need to use wireshark or tcpdump to > find out what actually happens. :-) > Thanks for the tip. Actually its bit weird what I'm getting through lo device: # ip r default dev lo scope link # ping 1.2.3.4 PING 1.2.3.4 (1.2.3.4) 56(84) bytes of data. 64 bytes from 1.2.3.4: icmp_req=1 ttl=64 time=0.036 ms 64 bytes from 1.2.3.4: icmp_req=2 ttl=64 time=0.027 ms ^C --- 1.2.3.4 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 999ms rtt min/avg/max/mdev = 0.027/0.031/0.036/0.007 ms # ping 3.3.3.3 PING 3.3.3.3 (3.3.3.3) 56(84) bytes of data. 64 bytes from 3.3.3.3: icmp_req=1 ttl=64 time=0.037 ms ^C --- 3.3.3.3 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.037/0.037/0.037/0.000 ms It means if I ping _ANY_ IP through lo device it gives me answer back? why? > > // Ola > > On Tue, Aug 20, 2013 at 01:23:29AM +0400, spameden wrote: > > The problem here is actually much wider.. > > I can access any of the venet0 assigned IP address from the container > > via lo interface. > > E.g. if I have another container with an IP address of 1.2.3.4 I can > > access it through lo interface from this container. > > > > 2013/8/20 spameden <[1][email protected]> > > > > 2013/8/20 Ola Lundqvist <[2][email protected]> > > > > Hi > > It all depends on how you have done things. There are a few things > > that is not fully clear that you should probably add in a forum > > question. > > You mention that you use both venet and veth devices. It > > is not clear what you use in this situation. > > (To my knowledge only veth makes sense to use with vzbr). > > > > Yes, I'm using both devices. > > I've added veth device to the vzbr201 device with private IP address, > > e.g. 192.168.201.2. > > venet0 is used for public internet address, e.g. 1.2.3.4 > > > > It is also not clear how you add veth to the bridge. > > > > I'm adding it via /etc/vz/vznet.conf: > > #!/bin/bash > > EXTERNAL_SCRIPT="/usr/sbin/vznetaddbr" > > > > I guess you have read this article: > > [3]http://openvz.org/Virtual_Ethernet_device > > > > Did already. > > > > Also it may be so that even though you have added them to > > different bridges, then the bridges may be connected to something > > common. It is not clear from the text below. > > > > How bridges can be connected to the same thing if they are different? > > > > Hope this helps for your forum question. > > Cheers, > > // Ola > > > > On Tue, Aug 20, 2013 at 12:53:23AM +0400, spameden wrote: > > > Yes, I have forwarding turned on. > > > # sysctl -a 2>/dev/null|grep ip_forward > > > net.ipv4.ip_forward = 1 > > > Surely, I can try to ban this via iptables, but it's so much > > hassle to > > > ban each time. > > > I thought it should "work out out of the box".. > > > Anyways, thanks for your point, I will try to post this on > forums. > > > > > > > > 2013/8/20 Ola Lundqvist <[1][4][email protected]> > > > > > > > > Hi > > > This kind of question belong more on the openvz forum > > > > > [2][5]http://forum.openvz.org/. > > > > > Please ask there. > > > However I think it is not worwarded through "lo", instead I > > guess > > > you > > > have IP forwarding turned on in the kernel and as the kernel > > gets > > > aware > > > of those datagrams it will forward it to the correct place. To > > > prevent > > > that I guess you have to add some firewalling rules (see > > iptables). > > > But again, this better belong on the forum, and I may be > totally > > > wrong. > > > Cheers, > > > // Ola > > > > > > On Tue, Aug 20, 2013 at 12:04:42AM +0400, spameden wrote: > > > > Hi, list. > > > > I'm sorry for copying 2 lists, but I really want to know > what > > I'm > > > doing > > > > wrong. > > > > I'm using Debian 6 Squeeze and OpenVZ CentOS kernel > > (converted > > > from rpm > > > > to deb). > > > > I'm using veth as well as venet devices for networking. > > > > To isolate multiple containers from each other I'm using > > vzbrXXX > > > > devices on debian like this: > > > > auto vzbr203 > > > > iface vzbr203 inet static > > > > address 192.168.203.1 > > > > netmask 255.255.255.0 > > > > broadcast 192.168.203.255 > > > > bridge_ports none > > > > bridge_fd 0 > > > > bridge_maxwait 0 > > > > auto vzbr202 > > > > iface vzbr202 inet static > > > > address 192.168.202.1 > > > > netmask 255.255.255.0 > > > > broadcast 192.168.202.255 > > > > bridge_ports none > > > > bridge_fd 0 > > > > bridge_maxwait 0 > > > > The problem I'm facing that in VE (for example with CTID > 202) > > I > > > can > > > > ping or query 192.168.203.1 which is on HN of course, but I > > > thought it > > > > shouldn't be reachable. > > > > Here is route table and ifconfig on CTID 202: > > > > # ip r > > > > default dev lo scope link > > > > # ifconfig -a > > > > lo Link encap:Local Loopback > > > > inet addr:127.0.0.1 Mask:255.0.0.0 > > > > inet6 addr: ::1/128 Scope:Host > > > > UP LOOPBACK RUNNING MTU:16436 Metric:1 > > > > RX packets:84021 errors:0 dropped:0 overruns:0 > > frame:0 > > > > TX packets:84021 errors:0 dropped:0 overruns:0 > > carrier:0 > > > > collisions:0 txqueuelen:0 > > > > RX bytes:5045068 (4.8 MiB) TX bytes:5045068 (4.8 > > MiB) > > > > venet0 Link encap:UNSPEC HWaddr > > > > 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 > > > > BROADCAST POINTOPOINT NOARP MTU:1500 Metric:1 > > > > RX packets:0 errors:0 dropped:0 overruns:0 frame:0 > > > > TX packets:0 errors:0 dropped:0 overruns:0 > > carrier:0 > > > > collisions:0 txqueuelen:0 > > > > RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) > > > > So I guess it's going through lo device? Why and how can I > > block > > > this? > > > > Many thanks. > > > > > > > _______________________________________________ > > > > Debian mailing list > > > > > > [3][6][email protected] > > > > [4][7]https://lists.openvz.org/mailman/listinfo/debian > > > > > -- > > > --------------------- Ola Lundqvist > --------------------------- > > > > > / [5][8][email protected] > Annebergsslingan > > 37 \ > > > | [6][9][email protected] 654 65 KARLSTAD > > | > > > | [7][10]http://inguza.com/ +46 (0)70-332 > > 1551 | > > > > > \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 > > / > > > > --------------------------------------------------------------- > > > > > > > > Referenser > > > > > > 1. mailto:[11][email protected] > > > 2. [12]http://forum.openvz.org/ > > > 3. mailto:[13][email protected] > > > 4. [14]https://lists.openvz.org/mailman/listinfo/debian > > > 5. mailto:[15][email protected] > > > 6. mailto:[16][email protected] > > > 7. [17]http://inguza.com/ > > -- > > --- Inguza Technology AB --- MSc in Information Technology ---- > > / [18][email protected] Annebergsslingan 37 > > \ > > | [19][email protected] 654 65 KARLSTAD > > | > > | [20]http://inguza.com/ Mobile: +46 (0)70-332 1551 > > | > > > > \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / > > --------------------------------------------------------------- > > > > Referenser > > > > 1. mailto:[email protected] > > 2. mailto:[email protected] > > 3. http://openvz.org/Virtual_Ethernet_device > > 4. mailto:[email protected] > > 5. http://forum.openvz.org/ > > 6. mailto:[email protected] > > 7. https://lists.openvz.org/mailman/listinfo/debian > > 8. mailto:[email protected] > > 9. mailto:[email protected] > > 10. http://inguza.com/ > > 11. mailto:[email protected] > > 12. http://forum.openvz.org/ > > 13. mailto:[email protected] > > 14. https://lists.openvz.org/mailman/listinfo/debian > > 15. mailto:[email protected] > > 16. mailto:[email protected] > > 17. http://inguza.com/ > > 18. mailto:[email protected] > > 19. mailto:[email protected] > > 20. http://inguza.com/ > > -- > --- Inguza Technology AB --- MSc in Information Technology ---- > / [email protected] Annebergsslingan 37 \ > | [email protected] 654 65 KARLSTAD | > | http://inguza.com/ Mobile: +46 (0)70-332 1551 | > \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / > --------------------------------------------------------------- >
_______________________________________________ Users mailing list [email protected] https://lists.openvz.org/mailman/listinfo/users
