Hi Pavel! I gave lectures about virtualization and the current stable branch of vservers at CCC-Z23/CCC-RP where I had to refer to by-IP chains for each vserver for both incoming and outgoing packets and I had to admit it becomes impracticable if using CAP_NET_RAW or shared IPs.
The only useful idea to solve this problem was exactly what you implemented now. Since that time extending ipt_owner was one thing on my todo list... Great thing, thank you. :) @Herbert: What about exporting environment variables containing useful data (read: at least context id) when /etc/vservers/*.sh are executed? Doing so we could exec some kinf of iptables wrapper from *.sh or configure iptables directly from *.sh without the need of using fixed context ids. This also satisfies other per-context-id configuration needs. Maybe this is also done but I have not noticed yet... ;) Best regards, // Veit _______________________________________________ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver