On Thu, Apr 29, 2004 at 06:07:22PM +0000, Liam Helmer wrote: > > hmm, I do not see a problem with implementing a > > netfilter for xid (on outgoing packets), if you > > (or somebody else) volunteers to do the userspace > > part (for netfilter) to configure it ... > > I'm up for it. We'd have to all decide on what people want it to do, > exactly, but that's cool. Something along the lines of:
> Enforcing routing of outgoing packets to always use the vservers's > source IP(s) this is something which will be solved by the next step when I clean up the network implementation of vserver (and should already work partially), so I think this should not require special rules ... > Enforcing routing so that a vserver will only use certain > interfaces for routing outgoing packets this can already be done by using a separate routing table for each vserver (~250 are available) and assigning an appropriate rule to map ip ranges to the right table ... > Allowing NAT of vserver packets when going out certain interfaces > Allowing bandwidth control of outgoing vserver bandwidth and special accounting rules (by traffic classes) would be good candidates for such a tagging ... > This would have to play nice with firewall and network code naturally. > I've implemented something to play nice with gentoo network and > shorewall, some of which is portable. > > > this is not an option for incoming packets though > > as you cannot determine the target context, until > > the receiving socket is found (which is too late > > for netfilter stuff ;) > > Actually, there is a way of doing this with the netfilter connmark > extension (newer netfilter patch). What you do is mark the connection > (not the packet) when the vserver host sends out it's first ack packet: > you can identify which context it's coming from at that point. So, no, > you can't identify the actual incoming connection, but you can still > apply traffic shaping and routing on a per vserver basis that way. > This would apply to any protocol supported by conntrack: ftp, http, > voip, etc. So, if you can add context id match support to netfilter, I > think I should be able to get netfilter to mark the connection, even > with incoming packets (on hosts that support this). I'm not convinced that connection tracking is such a good idear, but I guess we could do something different for incoming packets: we could add a per network context flag to limit a context to a certain tag, this way a netfilter ruleset could decide which packets reach a vserver and which don't ... without any need for a conenction ... best, Herbert > Cheers, > Liam > > _______________________________________________ > Vserver mailing list > [EMAIL PROTECTED] > http://list.linux-vserver.org/mailman/listinfo/vserver _______________________________________________ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
