Article ID: 117027, created on Aug 30, 2013, last review on May 11, 2014

  • Applies to:
  • Virtuozzo 6.0

Symptoms

The command prlctl set CT_NAME --ipfilter {yes/no} --macfilter {yes/no} does not work for containers.

Cause

This command changes the filtering rules for virtual machines only, and it saves the changes to the configuration file of the virtual machine.

Please refer to the documentation page for configuration options which are meaningful for containers: Network Options.

Resolution

For containers with interfaces in bridged mode, the following rules are applied:

  1. any IP address can be set from the container, however if there is the certain IP address defined in the configuration file for a given network interface (in the option NETIF) then this IP address is set on the container's start; if the process prl_disp_service is running, the filtering rules for IP and MAC are applied;

  2. it is possible to capture any traffic on the Ethernet interface in the container, however only Ethernet frames for the container's MAC address and broadcast traffic will be routed to the container;

  3. changing of the assigned MAC address from the container is not allowed.

    ~# ip link set eth0 down
    ~# ip link set eth0 addr 00:18:51:c5:74:b9
    RTNETLINK answers: Operation not permitted
    ~#
    

In general, the documentation describes the settings and the operation mode: Container Network Modes.

However, if IP is defined then the filtering rules can be enabled in the Ethernet Bridge Tables.

The example configuration set up by Parallels Server for the case with two containers - #660 has the IP address configured from CT, #661 has its IP address defined in the configuration file:

~# vzctl start 660; vzctl start 661; ebtables-save
Container is mounted
Starting the Container ...
Setting permissions 20002 dev 0x7d00
Adding offline management to Container(1): 4643 8443 4649 
Adding IP addresses: 
Configure virtual adapters: veth660.0 
Configure the bridged network veth660.0/Bridged ...
Hostname of the Container set: bridged.test
Starting the Container ...
Container is mounted
Starting the Container ...
Setting permissions 20002 dev 0x7d00
Adding IP addresses: 
Configure virtual adapters: veth661.0 
Configure the bridged network veth661.0/Bridged ...
Hostname of the Container set: bridged.test
Starting the Container ...
# Generated by ebtables-save v1.0 on Sun Aug 25 14:17:55 NOVT 2013
*filter
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
:ip-filter-veth661-0 DROP
-A INPUT -i veth661.0 -j ip-filter-veth661-0
-A FORWARD --among-dst 1:80:c2:0:0:0, -j DROP
-A FORWARD -i veth661.0 -j ip-filter-veth661-0
-A ip-filter-veth661-0 --among-src 0:18:51:41:50:68=10.39.82.48, -j ACCEPT
~# 

Search Words

ipfilter

bridged mode

ethernet bridge

c62e8726973f80975db0531f1ed5c6a2 2897d76d56d2010f4e3a28f864d69223 0dd5b9380c7d4884d77587f3eb0fa8ef

Email subscription for changes to this article
Save as PDF