On Fri, Feb 10, 2006 at 08:58:05AM +0100, Oliver Welter wrote: > Hi Folks, > > I encounter several problems regarding routing with a vServer host that > has mutliple networks. > > I have a host which occupies three networks, my guest has IPs only in > two of them resulting in the problem, that guest is unable to ping the > third network under certain circumstances. > > When I try to ping the third network, the packets are emitted with > source address from the first activated network (so, the lowest number > in the interface directory) - in my case this is an internal maintenance > LAN and I get packets that are unroutable. > The packets are routed to teh target but are discarded there because > they come in via the external NIC (third network) but have a source > adderss that belongs to the internal NIC. > > I hope anybody understands this description - but I cant describe it > better... > > The workaround for now is, to setup the IP belonging to the default > route of the host as first in the vServer. It also works when I > discard all network-routes from the hosts routing table and adress > this by source based routing policies. > > But I assume that it would be best, when the implementation of vServer > network-management hides all routes that are not accessible by the > guest.
'hiding' those routes (as in proc or for ip route) is not a real problem, but that will not help you in any way, the routing decisions are solely based on the view the host has of the network, as the network stack is not virtualized but shared. you can not simply 'hide' routes from routing cache and fib database ... if you want a shizophrenic host which can handle separate networks, you simply have to configure that properly, in your case that means to create two tables which contain the separate network entries and only put the 'shared' net in the main table, then have appropriate rules decide which table to choose from, based on the source ip this is nothing Linux-VServer specific, it is the way how linux networking works and it will not change without some kind of network stack virtualization, which will be done in the upcoming ngnet ... best, Herbert > Oliver > > -- > Diese Nachricht wurde digital unterschrieben > oliwel's public key: http://www.oliwel.de/oliwel.crt > Basiszertifikat: http://www.ldv.ei.tum.de/page72 > _______________________________________________ > Vserver mailing list > [email protected] > http://list.linux-vserver.org/mailman/listinfo/vserver _______________________________________________ Vserver mailing list [email protected] http://list.linux-vserver.org/mailman/listinfo/vserver
