Hello, I am trying to implement a protection against MAC address spoofing from the containers without having to add an extra ebtable|iptable rule per container. I could have used ipset, but macipmap is not available in ipset 6, and bitmap_ipmac only supports a single /16 . Using macvlan directly on my physical interface is not an option because I want to do some extra iptable-based filtering on the outgoing packets.
I thought I could achieve that using macvlan : Currently the containers are networked using lxc.network.type=veth. That is to say, a veth pair is created for each node and attached to a common bridge (br0). [vetha]--[veth0]__ [vethb]--[veth1]_ \ . . . \_\__[br0]_ [vethX]--[vethN]_/ / [eth0]__/ My idea was to do this : 1/ create a veth pair : veth_slave and veth_master. 2/ attach veth_master on my bridge (br0) 3/ Setup br0 as a reflexive relay (echo 1 > /sys/../veth_master/../hairpin_mode) 4/ use macvlan to split up veth_slave between the containers " lxc.network.type = macvlan " lxc.network.macvlan.mode = vepa " lxc.network.link = veth_slave [macvlan0]__ [macvlan1]_ \ . . . \_\_[veth_slave]--[veth_master]--[br0]__ [macvlanN]_/ / [eth0]__/ The intention being that macvlan prevents MAC spoofing. But Linux seems not to relay my packets from br0 to macvlan0. When I run a "ping -I veth_master $IP", I can see ARP who-as arriving on the container and being replied to, but those replies seems to be ignored by Linux and icmp packets are never sent. If I run a "ping -I br0 $IP" the bridge no packets or frames appears in the containers, however the bridge seems to know that their macs are accessible from veth_master (according to brctl showmacs). Routes are as follow : "$CONTAINER_IP/32 dev br0 scope link" . Any tips about something I have forgotten ? Is there a simpler way ? Thank you in advance for your help, Brice ------------------------------------------------------------------------------ vRanger cuts backup time in half-while increasing security. With the market-leading solution for virtual backup and recovery, you get blazing-fast, flexible, and affordable data protection. Download your free trial now. http://p.sf.net/sfu/quest-d2dcopy1 _______________________________________________ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
