OpenVZ Forum


Home » General » Support » Using IPTables MAC Filter Module in VE ?
Using IPTables MAC Filter Module in VE ? [message #4883] Tue, 01 August 2006 15:25 Go to next message
MeMu is currently offline  MeMu
Messages: 5
Registered: August 2006
Junior Member
Hi!
I'm using OpenVZ 2.6.16-026test015 and it works very well beside some little problems with iptables...
Is there any possibility to use the ipt_mac module in VE?
I need to block network packages by mac addresses inside a VE...
For example i only want to block MAC 00:11:22:33:44:55 in veth101.0 and allow those packages from above MAC in veth102.0...

Prefiltering network packages inside the hardware node is not possible (in my opinion), because of the hardware constellation (bridge):

......./--- Wireless Interface (ath0)
bridge0---- Virtual Interface 1 (veth101.0)
'''''''\--- Virtual Interface 2 (veth102.0)


It works fine in the hardware node only but fails loading in the virtual node:
/etc/vz# vzctl enter 101
Warning: Unknown iptable module: ipt_mac, skipped
Warning: Unknown iptable module: xt_mac, skipped
entered into VPS 101
root@vn01:/# iptables -A INPUT -m mac --mac-source 00:11:22:33:44:55 -j DROP
iptables: No chain/target/match by that name


vz.conf:
[...snip...]
IPTABLES="ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_mac xt_mac"


Thanks for some hints or tricks Smile
bye
MeMu

[Updated on: Tue, 01 August 2006 15:26]

Report message to a moderator

Re: Using IPTables MAC Filter Module in VE ? [message #4915 is a reply to message #4883] Wed, 02 August 2006 08:06 Go to previous messageGo to next message
Vasily Tarasov is currently offline  Vasily Tarasov
Messages: 1345
Registered: January 2006
Senior Member
Unfortunately ipt_mac isn't virutalized. You can't use it inside VE.

Report message to a moderator

Re: Using IPTables MAC Filter Module in VE ? [message #4917 is a reply to message #4915] Wed, 02 August 2006 08:11 Go to previous messageGo to next message
MeMu is currently offline  MeMu
Messages: 5
Registered: August 2006
Junior Member
Hello!
Sounds bad Confused but anyway... Thanks for the information!
Btw: Are there plans to support it in the near future?
bye
MeMu

Report message to a moderator

Re: Using IPTables MAC Filter Module in VE ? [message #4919 is a reply to message #4917] Wed, 02 August 2006 08:22 Go to previous messageGo to next message
dim is currently offline  dim
Messages: 344
Registered: August 2005
Senior Member
Since we released veth dev, we'll probably virtualize this module as well. But I can't say exactly when.

http://static.openvz.org/openvz_userbar_en.gif

Report message to a moderator

icon1.gif  [SOLVED] Re: Using IPTables MAC Filter Module in VE ? [message #4936 is a reply to message #4919] Thu, 03 August 2006 14:47 Go to previous message
MeMu is currently offline  MeMu
Messages: 5
Registered: August 2006
Junior Member
Hi!
I patched the openvz-kernel (026test015) and vzctl (3.0.10) myself... Smile
Works fine here with 10 virtual nodes and 6 real nodes, which block/unblock each other from time to time...

Enjoy and cu
MeMu

[Updated on: Thu, 03 August 2006 14:49]

Report message to a moderator

Previous Topic: *SOLVED* FC3 p2v migration
Next Topic: *SOLVED* Failed to start
Goto Forum:
  

[ Syndicate this forum (XML) ] [ RSS ] [ PDF ]

Current Time: Fri Jul 19 06:14:05 GMT 2024

Total time taken to generate the page: 0.02475 seconds
Powered by FUDforum Powered by Virtuozzo Containers