OpenVZ Forum


Home » Mailing lists » Users » Filter container traffic
Filter container traffic [message #46858] Tue, 19 June 2012 02:10 Go to next message
cheetah is currently offline  cheetah
Messages: 7
Registered: June 2012
Junior Member
Hi Guys,


I just setup my openvz environment. What I need to do now is to write a
firewall to check each flow from container and decide if it is allowed.

I noticed that for each container there is vmnet device. I am wondering can
I use open vswitch with this vmnet device? (It seems not from what is
mentioned here http://wiki.openvz.org/Virtual_network_device). If not, does
that mean I have to use netfilter/contrack/iptables to implement my
firewall? Could you please recommend some tutorials/readings?

Thanks a lot!

Regards,
Peter
Re: [Devel] Filter container traffic [message #47004 is a reply to message #46858] Tue, 26 June 2012 19:44 Go to previous messageGo to next message
kir is currently offline  kir
Messages: 1645
Registered: August 2005
Location: Moscow, Russia
Senior Member

On 06/19/2012 06:10 AM, cheetah wrote:
> Hi Guys,
>
>
> I just setup my openvz environment.

Can you please stop cross-posting to two mailing lists? This is kinda
impolite and is counter-productive.

Please stick to users@ list, unless you have a patch or smth.

Thank you.


Kir Kolyshkin
http://static.openvz.org/userbars/openvz-developer.png
Re: [Devel] Filter container traffic [message #47007 is a reply to message #47004] Wed, 27 June 2012 03:03 Go to previous messageGo to next message
cheetah is currently offline  cheetah
Messages: 7
Registered: June 2012
Junior Member
Sorry for my misuse. Will follow the advice next time.

Could you please give some hints on the questions? Thanks.

Peter

On Wed, Jun 27, 2012 at 3:44 AM, Kir Kolyshkin <kir@openvz.org> wrote:

> On 06/19/2012 06:10 AM, cheetah wrote:
>
>> Hi Guys,
>>
>>
>> I just setup my openvz environment.
>>
>
> Can you please stop cross-posting to two mailing lists? This is kinda
> impolite and is counter-productive.
>
> Please stick to users@ list, unless you have a patch or smth.
>
> Thank you.
>
Re: [Devel] Filter container traffic [message #47009 is a reply to message #46858] Wed, 27 June 2012 08:36 Go to previous messageGo to next message
kir is currently offline  kir
Messages: 1645
Registered: August 2005
Location: Moscow, Russia
Senior Member

On 06/19/2012 06:10 AM, cheetah wrote:
> Hi Guys,
>
>
> I just setup my openvz environment. What I need to do now is to write
> a firewall to check each flow from container and decide if it is allowed.
>
> I noticed that for each container there is vmnet device.

You probably mean venet or veth. We do not have vmnet.

> I am wondering can I use open vswitch with this vmnet device?

It will be possible later, we have just finished porting OpenVSwitch to
our RHEL6 kernel. Now, it is not possible.

> (It seems not from what is mentioned here
> http://wiki.openvz.org/Virtual_network_device). If not, does that mean
> I have to use netfilter/contrack/iptables to implement my firewall?

Yes, you can use iptables. For venet case, you can use iptables on the
host system and/or inside CT. For veth case, you can only use iptables
inside containers (and on the host you can use ebtables I guess).


Kir Kolyshkin
http://static.openvz.org/userbars/openvz-developer.png
Re: [Devel] Filter container traffic [message #47011 is a reply to message #46858] Wed, 27 June 2012 08:41 Go to previous message
kir is currently offline  kir
Messages: 1645
Registered: August 2005
Location: Moscow, Russia
Senior Member

On 06/19/2012 06:10 AM, cheetah wrote:
> Hi Guys,
>
>
> I just setup my openvz environment. What I need to do now is to write
> a firewall to check each flow from container and decide if it is allowed.
>
> I noticed that for each container there is vmnet device. I am
> wondering can I use open vswitch with this vmnet device? (It seems not
> from what is mentioned here
> http://wiki.openvz.org/Virtual_network_device). If not, does that mean
> I have to use netfilter/contrack/iptables to implement my firewall?
> Could you please recommend some tutorials/readings?

I guess most of what we have is available from here:
http://wiki.openvz.org/Category:Networking


Kir Kolyshkin
http://static.openvz.org/userbars/openvz-developer.png
Previous Topic: funtoo openvz images fails to work with &quot;vzctl enter&quot;
Next Topic: CT migration of ploop failed on nfs
Goto Forum:
  


Current Time: Thu Dec 01 19:56:04 GMT 2022

Total time taken to generate the page: 0.02030 seconds