Am Fre, den 27.02.2004 schrieb Herbert Poetzl um 23:58: > well, the thing is, in that case you would need two > tuntap devices to get the same as the UML implementation > uses, one converting the packets to a data stream, and > the other converting it back from data stream to packets > (which doesn't make much sense)
????? > and this doesn't even cover the restrictions, not > present in UML (so you have to use iptables & co on > the host) uml offers iptables inside a virtual server - nice to have but not really needed. > hmm, I'd like to know what problems you ahve with the > current approach, except for the fact, that it doesn't > look nice to have eth0:XYZ instead of eth0? simple: i can not have CAP_NET_ADMIN and if so - it doesn't work right on a interface alias. > I'd appreciate a list of things you are 'missing' > together with a small comment, how to make that feature > secure on a vserver, as example: > > - missing: ping doesn't work like on linux server xy > why: ping requires CAP_NET_RAW, giving that would mean > - vserver can generate arbitrary packets > - vserver can fake packets from other vservers > - vserver can generate fake arp replies > this can be secured by: > - checking every raw packet via some packet checker > - filtering out malicious packets ... I'm using vserver since 3 weeks, but I've found a solution to give a vserver CAP_NET_RAW without security problems... ping works, arbitrary packets are no problem, fake arbitrary packets from other servers: doesn't SEEM to work, I'm sure that this would not work if I could use tun/tap the way I'd like to. fake arp: also seems that wouldn't work, I'm sure this will be absolutely no problem with kernel v2.6 and ebtables - there is no special packet checker needed. > hmm, could you do some security tests regarding the > network tricks possible with FreeVPS, I would be very > interested, what they allow and what not ... no, I'm not interested in freevps, I'll not use a redhat kernel - and I didn't want you to copy the freevps net- working solution. but I WOULD LIKE a solution that offers the possibilities that freevps offers. and I described ONE POSSIBLE WAY to do that. I'd also agree with another solution doing the same thing, but I do not agree with some "interface aliasing / ip number limiting strange nobody knows about" thing. > yeah, we should talk about that on irc, I'm very > interested in your findings and your approaches and > ofcourse your ideas, maybe together we can find that > better solution, which is still missing ... ok, cu there - when? > well, real servers have separate network cards, and > switches guarding between them, but yes, all that is > possible in software too (see example above) yeah, all this is implemented in the default linux kernel (bridge & tun/tap) - so why don't use that? > > all the nice things like traffic shaping can easily be done, > > no alias interfaces are needed - but you could create them > > inside the vserver if you like... > > agreed > > have a nice evening! > you too! after one of my best friends birthday party at 7'clock in the morning... - I can say it was a very funny evening - have a good night :o) -- Thomas Gelf <[EMAIL PROTECTED]> _______________________________________________ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
