It's my understanding that the model is passing the packets back down to a virtual switch (an emulated switch within the kernel) and then back up a networking stack within the container's view.
Therefore you need to investigate solutions that would work across a real network as well. Have you considered looking in to v-lan tagging? On Tue, Aug 26, 2014 at 6:18 AM, Norman Meilick <[email protected]> wrote: > Hi, > > in my containers, I'm trying to filter packets using marks set by ebtables > on the host, but it seems those marks are not propagated to the > containers, and I wonder if there is a way to make it work. > > Example: > I have a host with several physical NICs (e.g., intranet1, intranet2, wifi, > extranet) that are all members of the bridge "mybridge". > > Containers are configured with one network interface (veth) that also > becomes a member of "mybridge". > > Incoming packets on the host are marked depending on the physical > interface they arrived on: > > ebtables -t nat -A PREROUTING -i intranet1 -j mark --set-mark 0x1 > ebtables -t nat -A PREROUTING -i intranet2 -j mark --set-mark 0x1 > ebtables -t nat -A PREROUTING -i wifi -j mark --set-mark 0x2 > ebtables -t nat -A PREROUTING -i extranet -j mark --set-mark 0x3 > > Alas, when the packet arrives at the respective container, the > mark is gone; I verified this via: > > iptables -A INPUT -j NFLOG --nflog-group 20 > tshark -i nflog:20 -n -V | grep NFULA_MARK > > Having a way to filter by incoming interface while keeping it > simple by only having one virtual NIC would majorly simplify > and unify firewalling inside my containers. > > I suspect the marks not being propagated is a feature of the > network namespace, but maybe there's a way around that. > > Thanks in advance for any ideas... > Norman > _______________________________________________ > lxc-users mailing list > [email protected] > http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
