Am Mittwoch, den 08.08.2007, 22:58 +0200 schrieb harry:
> Herbert Poetzl wrote:
> <snip>
> > I would say a setup which does S/DNAT on output and
> > input from/to local IPs should do the trick ...
>
> afaik, if you add a different routing rule for every ip of your guest,
> to use a different table (with your gateway) it will send all traffic
> for that host to that table and thus gateway (as i do in my scripts i
> mailed you at first... but i do it with "networks" instead of ips)
except for addresses that are located on the local box itself. Traffic
towards these IPs won't hit the wire, the kernel will route them localy
- the local table is also the first thats in your rules (ip rule ls).
> anyway, it works fine with me, i'd like to help you setup specific
> commands for it if you like...
thanks for the offer. But i don't think thats something that can be
solved with simple source based routing. I'm sure it can be solved with
iptables stuff, as stated in another mail it actually works the way i've
set it up (seems like it worked already 2 weeks ago). It just doesn't
work for icmp - unfortunatly I did the testing with ping only *duh*
> <snip>
> > once again, Linux-VServer is doing IP Isolation, so
> > naturally the network stack is _not_ virtualized and
> > any stack virtualization (bad or good) will be 'better
> > virtualized' in your terminology :)
>
> virtualisation of the network stack will also have implications on the
> performance!
i'm aware of this. Most any security measurement do. I'd be willing to
pay this price even though it seems like it's not necessary now that
I've located the problem.
Tom
Received on Wed Aug 8 22:49:28 2007