OpenVZ Forum


Home » Mailing lists » Users » Filter container traffic
Filter container traffic [message #46858] Tue, 19 June 2012 02:10 Go to next message
cheetah is currently offline  cheetah
Messages: 7
Registered: June 2012
Junior Member
From: *parallels.com
Hi Guys,


I just setup my openvz environment. What I need to do now is to write a
firewall to check each flow from container and decide if it is allowed.

I noticed that for each container there is vmnet device. I am wondering can
I use open vswitch with this vmnet device? (It seems not from what is
mentioned here http://wiki.openvz.org/Virtual_network_device). If not, does
that mean I have to use netfilter/contrack/iptables to implement my
firewall? Could you please recommend some tutorials/readings?

Thanks a lot!

Regards,
Peter
Re: [Devel] Filter container traffic [message #47004 is a reply to message #46858] Tue, 26 June 2012 19:44 Go to previous messageGo to next message
kir is currently offline  kir
Messages: 1645
Registered: August 2005
Location: Moscow, Russia
Senior Member

From: *parallels.com
On 06/19/2012 06:10 AM, cheetah wrote:
> Hi Guys,
>
>
> I just setup my openvz environment.

Can you please stop cross-posting to two mailing lists? This is kinda
impolite and is counter-productive.

Please stick to users@ list, unless you have a patch or smth.

Thank you.


Kir Kolyshkin
http://static.openvz.org/userbars/openvz-developer.png
Re: [Devel] Filter container traffic [message #47007 is a reply to message #47004] Wed, 27 June 2012 03:03 Go to previous messageGo to next message
cheetah is currently offline  cheetah
Messages: 7
Registered: June 2012
Junior Member
From: *parallels.com
Sorry for my misuse. Will follow the advice next time.

Could you please give some hints on the questions? Thanks.

Peter

On Wed, Jun 27, 2012 at 3:44 AM, Kir Kolyshkin <kir@openvz.org> wrote:

> On 06/19/2012 06:10 AM, cheetah wrote:
>
>> Hi Guys,
>>
>>
>> I just setup my openvz environment.
>>
>
> Can you please stop cross-posting to two mailing lists? This is kinda
> impolite and is counter-productive.
>
> Please stick to users@ list, unless you have a patch or smth.
>
> Thank you.
>
Re: [Devel] Filter container traffic [message #47009 is a reply to message #46858] Wed, 27 June 2012 08:36 Go to previous messageGo to next message
kir is currently offline  kir
Messages: 1645
Registered: August 2005
Location: Moscow, Russia
Senior Member

From: *parallels.com
On 06/19/2012 06:10 AM, cheetah wrote:
> Hi Guys,
>
>
> I just setup my openvz environment. What I need to do now is to write
> a firewall to check each flow from container and decide if it is allowed.
>
> I noticed that for each container there is vmnet device.

You probably mean venet or veth. We do not have vmnet.

> I am wondering can I use open vswitch with this vmnet device?

It will be possible later, we have just finished porting OpenVSwitch to
our RHEL6 kernel. Now, it is not possible.

> (It seems not from what is mentioned here
> http://wiki.openvz.org/Virtual_network_device). If not, does that mean
> I have to use netfilter/contrack/iptables to implement my firewall?

Yes, you can use iptables. For venet case, you can use iptables on the
host system and/or inside CT. For veth case, you can only use iptables
inside containers (and on the host you can use ebtables I guess).


Kir Kolyshkin
http://static.openvz.org/userbars/openvz-developer.png
Re: [Devel] Filter container traffic [message #47011 is a reply to message #46858] Wed, 27 June 2012 08:41 Go to previous message
kir is currently offline  kir
Messages: 1645
Registered: August 2005
Location: Moscow, Russia
Senior Member

From: *parallels.com
On 06/19/2012 06:10 AM, cheetah wrote:
> Hi Guys,
>
>
> I just setup my openvz environment. What I need to do now is to write
> a firewall to check each flow from container and decide if it is allowed.
>
> I noticed that for each container there is vmnet device. I am
> wondering can I use open vswitch with this vmnet device? (It seems not
> from what is mentioned here
> http://wiki.openvz.org/Virtual_network_device). If not, does that mean
> I have to use netfilter/contrack/iptables to implement my firewall?
> Could you please recommend some tutorials/readings?

I guess most of what we have is available from here:
http://wiki.openvz.org/Category:Networking


Kir Kolyshkin
http://static.openvz.org/userbars/openvz-developer.png
Previous Topic: funtoo openvz images fails to work with &quot;vzctl enter&quot;
Next Topic: CT migration of ploop failed on nfs
Goto Forum:
  


Current Time: Tue Sep 25 19:22:16 GMT 2018