[PLDWWW] page changed: docs:lxc
"Elan Ruusamäe (glen)"
glen at pld-linux.org
Mon Dec 9 15:33:41 CET 2013
load iptables from hook
--- https://www.pld-linux.org/docs/lxc?rev=1385306308
+++ https://www.pld-linux.org/docs/lxc
@@ -115,8 +115,10 @@
- uses ''macvlan''
- that interface is NOT visible on host
- you can't filter it from host's firewall
- you HAVE to set mac. If not - on every container start you'll have different one (your router will not pass the traffic).
+ - iptables is initialized from lxc.hook.pre-mount hook (ran in the container's namespace and having macvlan interface visible)
+
first boot with ''hwaddr'' line disabled, look what the random address was assigned, set it in config.
also you may use some generation techniques like these: using last three ip numbers and [[http://xenbits.xen.org/docs/4.3-testing/misc/xl-network-configuration.html|Xen's OUI (00:16:3e)]] address space. If IP is ''192.168.2.160'', then:
@@ -133,5 +135,8 @@
lxc.network.macvlan.mode = bridge
lxc.network.name = eth0
lxc.network.ipv4 = 192.168.2.160/23
lxc.network.ipv4.gateway = 192.168.2.1
+
+ lxc.hook.pre-mount = /sbin/service iptables start
+ lxc.cap.drop = net_admin
</file>
Diff URL:
https://www.pld-linux.org/docs/lxc?do=diff&r1=1385306308&r2=1386599621
--
This mail was generated by DokuWiki at
https://www.pld-linux.org/
More information about the pld-cvs-commit
mailing list