Thanks Herbert, I will definately keep testing to see if all works as said. If there are any issues, I will let the list know.
btw, is it normal that the routing table in a guest looks something like: the same as the one on the host, except for the default gw? All the fields for default gw show 0.0.0.0 ? Regards, -nik On Sat, 2006-05-13 at 16:50 +0200, Herbert Poetzl wrote: > On Sat, May 13, 2006 at 03:45:38PM +0300, Nikolay Kichukov wrote: > > Good afternoon all. > > > > The topic I would like to discuss here is how one is able to setup the > > host so it does traffic accounting with iptables and traffic shaping > > and policing with iproute2 for a guest on the host. > > > > What brought me to this was a recent posting named "What is the best > > way to connect from 1 vserver to other vserver within the same host > > ?" There I learned that the guest connections actually go through > > the host lo interface?! Which alternatively made me think why do I > > ever created a file called dev with one of my interfaces there if the > > traffic from the guest goes through the host loopback device? Can > > someone please elaborate a bit more on this topic? > > well, it's the way the linux (and probably many other) > network stack works, local traffic is sent via lo, > remote traffic is sent via some network card/interface > > check out this ancient posting for some ideas: > http://archives.linux-vserver.org/200311/0470.html > > > Then, having the following setup: > > dev=eth0 which is the interface that is connected to the internal LAN > > ip=localIPaddress of the vserver > > > > in this scenario I have an entry in the nat table on the host that > > allows the guest to use the internet on the $EXTERNALINTERFACE : > > > > iptable -t nat -A -s localIPaddress/32 -SNAT --to $EXTERNALIP > > > > is there a way I can go without that if I configure the guest with > > nodev? > > dev vs nodev does not change _anything_ regarding > the way how the routing, nat and networking works > > 'dev' means that on guest startup, the 'ip' is > created on that device, and on guest shutdown the > same ip is removed again. 'nodev' just means that > no ip is created at all, and the specified 'ip' > is considered to exist already ... > > > Now about the traffic accounting topic, which are the tables that the > > packets generated from the guest and going back to the guest traverse > > to get to the internet on the $EXTERNALINTERNET eth1? If dev contains > > eth0, that is the internal interface and the other variant with nodev? > > there is no 'internal' interface except for lo for > local traffic, for the 'external' traffic, the routing > and device setup will decide which ip and interface > is used ... > > > The other point is about traffic shaping and policing. I use tc to do > > traffic shaping and policing for computers in the LAN and for the host > > itself. Now if I want to add limits for the guest, can I use eth0 to > > limit the max allowed outgoing speed? And then the max download speed > > on eth0? As a summary - will the packets on the guest go through the > > eth0? > > everything, including the traffic accounting and > network shaping work like on a normal linux system, > all connection from a guest can be considered like > the host connections, so all that stuff is identical > to a linux system without the Linux-Vserver patch > > > Maybe that e-mail got too long and difficult to follow. > > Any help or further questions will be appreaciated... > > HTH, > Herbert > > > Thanks and Regards, > > -Nik > > > > > > -- > > ?????? ??? ????????, ??? ?????. > > ?? ?????? ??? ?????, ?? ?????? ??? ????????... > > -????? ????? > > > > _______________________________________________ > > Vserver mailing list > > [email protected] > > http://list.linux-vserver.org/mailman/listinfo/vserver -- Когато сме щастливи, сме добри. Но когато сме добри, не винаги сме щастливи... -Оскар Уайлд _______________________________________________ Vserver mailing list [email protected] http://list.linux-vserver.org/mailman/listinfo/vserver
