[vserver] Network configuration problems: prohibit src=127.0.0.1 in packets from guest?:
 vserver development mailing list 
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]

[vserver] Network configuration problems: prohibit src=127.0.0.1 in packets from guest?

From: Roman Fiedler <roman.fiedler_at_telbiomed.at>
Date: Thu 10 Jul 2008 - 11:35:09 BST
Message-ID: <4875E5DD.3090008@telbiomed.at>

Hi list,

I have a problem with the network setup of guest/host. I guess it is a
configuration problem somewhere

Test within guest vserver (10.10.34.8):

# nc 127.0.0.1 8888
log:
Jul 10 10:36:28 ubuntuhardy804-tszsim kernel: [618391.105317]
iptables:DROP-ERROR IN= OUT=lo SRC=127.0.0.1 DST=10.10.34.8 LEN=60
TOS=0x00 PREC=0x00 TTL=64 ID=36395 DF PROTO=TCP SPT=40660 DPT=8888
WINDOW=32792 RES=0x00 SYN URGP=0 UID=107

# nc -s 127.0.0.1 127.0.0.1 8888
log:
Jul 10 10:36:53 ubuntuhardy804-tszsim kernel: [618416.098070]
iptables:DROP-ERROR IN= OUT=lo SRC=10.10.34.8 DST=10.10.34.8 LEN=60
TOS=0x00 PREC=0x00 TTL=64 ID=64171 DF PROTO=TCP SPT=55550 DPT=8888
WINDOW=32792 RES=0x00 SYN URGP=0 UID=107

Difference:
SRC=127.0.0.1 DST=10.10.34.8
SRC=10.10.34.8 DST=10.10.34.8

Without firewall, these packets are sent:
10:42:17.209027 IP 127.0.0.1.42139 > 10.10.34.8.8888: S
3901816085:3901816085(0) win 32792 <mss 16396,sackOK,timestamp 61785798
0,nop,wscale 6>
         0x0000: 4500 003c 3bd3 4000 4006 53d6 7f00 0001 E..<;.@.@.S.....
         0x0010: 0a0a 2208 a49b 22b8 e890 fd15 0000 0000 .."...".........
         0x0020: a002 8018 6b0e 0000 0204 400c 0402 080a ....k.....@.....
         0x0030: 03ae c6c6 0000 0000 0103 0306 ............

10:43:39.841038 IP 10.10.34.8.50396 > 10.10.34.8.8888: S
891828880:891828880(0) win 32792 <mss 16396,sackOK,timestamp 61794061
0,nop,wscale 6>
         0x0000: 4500 003c dd9d 4000 4006 04fb 0a0a 2208 E..<..@.@.....".
         0x0010: 0a0a 2208 c4dc 22b8 3528 3a90 0000 0000 .."...".5(:.....
         0x0020: a002 8018 f363 0000 0204 400c 0402 080a .....c....@.....
         0x0030: 03ae e70d 0000 0000 0103 0306 ............

Is there a way to prohibit the use of src=127.0.0.1 in packets from guest?

lg roman

PS:
Linux version 2.6.22.19-vs2.2.0.7-i586 (root@localhost) (gcc version
4.1.3 20070929 (prerelease) (Ubuntu 4.1.2-16ubuntu2)) #1 SMP Mon Jun 2
07:52:13 UTC 2008

# CONFIG_VSERVER_LEGACY is not set
# CONFIG_VSERVER_LEGACYNET is not set
# CONFIG_VSERVER_REMAP_SADDR is not set
CONFIG_VSERVER_COWBL=y
# CONFIG_VSERVER_VTIME is not set
CONFIG_VSERVER_PROC_SECURE=y
CONFIG_VSERVER_HARDCPU=y
CONFIG_VSERVER_IDLETIME=y
# CONFIG_VSERVER_IDLELIMIT is not set
# CONFIG_TAGGING_NONE is not set
# CONFIG_TAGGING_UID16 is not set
# CONFIG_TAGGING_GID16 is not set
CONFIG_TAGGING_ID24=y
# CONFIG_TAGGING_INTERN is not set
# CONFIG_TAG_NFSD is not set
# CONFIG_PROPAGATE is not set
CONFIG_VSERVER_PRIVACY=y
CONFIG_VSERVER_CONTEXTS=256
CONFIG_VSERVER_WARN=y
# CONFIG_VSERVER_DEBUG is not set
CONFIG_VSERVER=y
CONFIG_VSERVER_SECURITY=y
CONFIG_VSERVER_NGNET=y
Received on Thu Jul 10 11:35:10 2008

[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Thu 10 Jul 2008 - 11:35:11 BST by hypermail 2.1.8