From: Veit Wahlich (cru_at_legalized.de)
Date: Fri 30 Jul 2004 - 16:55:31 BST
Hi Pavel!
I gave lectures about virtualization and the current stable branch of
vservers at CCC-Z23/CCC-RP where I had to refer to by-IP chains for each
vserver for both incoming and outgoing packets and I had to admit it
becomes impracticable if using CAP_NET_RAW or shared IPs.
The only useful idea to solve this problem was exactly what you
implemented now. Since that time extending ipt_owner was one thing on my
todo list... Great thing, thank you. :)
@Herbert:
What about exporting environment variables containing useful data (read:
at least context id) when /etc/vservers/*.sh are executed? Doing so we
could exec some kinf of iptables wrapper from *.sh or configure iptables
directly from *.sh without the need of using fixed context ids. This
also satisfies other per-context-id configuration needs.
Maybe this is also done but I have not noticed yet... ;)
Best regards,
// Veit
_______________________________________________
Vserver mailing list
Vserver_at_list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver