* interfaces in /proc/net/ip_conntrack
@ 2007-12-10 17:49 Oscar N
2007-12-10 19:26 ` Pascal Hambourg
2007-12-10 23:36 ` Martijn Lievaart
0 siblings, 2 replies; 9+ messages in thread
From: Oscar N @ 2007-12-10 17:49 UTC (permalink / raw)
To: netfilter
Are the interfaces saved in any way in a session or is it only ip src, dst
and ports that are saved and matched against?
Why I ask is because what happens if I configure a linuxbox as two virtual
firewall with same nets being used on different vlans. Will all the
sessions be separate or will they sometimes "merge" if it happens to be
the same IPs and ports in two sessions.
/Oscar
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: interfaces in /proc/net/ip_conntrack
2007-12-10 17:49 interfaces in /proc/net/ip_conntrack Oscar N
@ 2007-12-10 19:26 ` Pascal Hambourg
2007-12-10 23:36 ` Martijn Lievaart
1 sibling, 0 replies; 9+ messages in thread
From: Pascal Hambourg @ 2007-12-10 19:26 UTC (permalink / raw)
To: netfilter
Hello,
Oscar N a écrit :
> Are the interfaces saved in any way in a session or is it only ip src, dst
> and ports that are saved and matched against?
AFAIK, no ; only the MASQUERADE target saves the output interface for
the sole purpose of deleting related contrack entries when an interface
goes down or its address changes. However you may want to get a more
authoritative answer from a Netfilter developper.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: interfaces in /proc/net/ip_conntrack
2007-12-10 17:49 interfaces in /proc/net/ip_conntrack Oscar N
2007-12-10 19:26 ` Pascal Hambourg
@ 2007-12-10 23:36 ` Martijn Lievaart
2007-12-11 8:03 ` Oscar N
1 sibling, 1 reply; 9+ messages in thread
From: Martijn Lievaart @ 2007-12-10 23:36 UTC (permalink / raw)
To: oscar; +Cc: netfilter
Oscar N wrote:
> Are the interfaces saved in any way in a session or is it only ip src, dst
> and ports that are saved and matched against?
>
> Why I ask is because what happens if I configure a linuxbox as two virtual
> firewall with same nets being used on different vlans. Will all the
> sessions be separate or will they sometimes "merge" if it happens to be
> the same IPs and ports in two sessions.
>
Interfaces are not used, not in this sense. In fact, this is a feature.
It allows asymetric routing, where packets go out through one interface
and the return packets arrive at a different interface.
I would use two physical or virtual machines, as the risk you describe
is real, if remote.
HTH,
M4
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: interfaces in /proc/net/ip_conntrack
2007-12-10 23:36 ` Martijn Lievaart
@ 2007-12-11 8:03 ` Oscar N
2007-12-11 10:03 ` Martijn Lievaart
0 siblings, 1 reply; 9+ messages in thread
From: Oscar N @ 2007-12-11 8:03 UTC (permalink / raw)
To: netfilter
> Oscar N wrote:
>> Are the interfaces saved in any way in a session or is it only ip src,
>> dst
>> and ports that are saved and matched against?
>>
>> Why I ask is because what happens if I configure a linuxbox as two
>> virtual
>> firewall with same nets being used on different vlans. Will all the
>> sessions be separate or will they sometimes "merge" if it happens to be
>> the same IPs and ports in two sessions.
>>
>
> Interfaces are not used, not in this sense. In fact, this is a feature.
> It allows asymetric routing, where packets go out through one interface
> and the return packets arrive at a different interface.
>
> I would use two physical or virtual machines, as the risk you describe
> is real, if remote.
>
> HTH,
> M4
>
>
Thanks for the answer, I guess it would work that way because interfaces
aren't shown in /proc/net/ip_conntrack.
The whole idea was to create multiple firewalls of one linuxbox, not only
2 but 20 or something like that.
One solution is ofcourse to don't run connection tracking at all, but it
would be nice to get it to work. Do anyone know if this would be way to
much work to implement? Otherwise I might get some time over to play with
this.
/Oscar
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: interfaces in /proc/net/ip_conntrack
2007-12-11 8:03 ` Oscar N
@ 2007-12-11 10:03 ` Martijn Lievaart
2007-12-11 11:03 ` Pascal Hambourg
2007-12-11 11:36 ` Benny Amorsen
0 siblings, 2 replies; 9+ messages in thread
From: Martijn Lievaart @ 2007-12-11 10:03 UTC (permalink / raw)
To: oscar; +Cc: netfilter
Oscar N wrote:
> The whole idea was to create multiple firewalls of one linuxbox, not only
> 2 but 20 or something like that.
>
> One solution is ofcourse to don't run connection tracking at all, but it
> would be nice to get it to work. Do anyone know if this would be way to
> much work to implement? Otherwise I might get some time over to play with
> this.
>
> /Oscar
>
Have a look at User Mode Linux (UML). It allows to run virtual machines
with the least overhead of all virtaul machine mechanisms I know. I have
no idea how you have to do the plumbing to get the right packets to the
right VM, but I think it can be done.
M4
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: interfaces in /proc/net/ip_conntrack
2007-12-11 10:03 ` Martijn Lievaart
@ 2007-12-11 11:03 ` Pascal Hambourg
2007-12-11 11:36 ` Benny Amorsen
1 sibling, 0 replies; 9+ messages in thread
From: Pascal Hambourg @ 2007-12-11 11:03 UTC (permalink / raw)
To: netfilter
Martijn Lievaart a écrit :
> Oscar N wrote:
>
>> The whole idea was to create multiple firewalls of one linuxbox, not only
>> 2 but 20 or something like that.
>>
>> One solution is ofcourse to don't run connection tracking at all, but it
>> would be nice to get it to work. Do anyone know if this would be way to
>> much work to implement? Otherwise I might get some time over to play with
>> this.
>
> Have a look at User Mode Linux (UML). It allows to run virtual machines
> with the least overhead of all virtaul machine mechanisms I know. I have
> no idea how you have to do the plumbing to get the right packets to the
> right VM, but I think it can be done.
If the plumbing involves the bridging of virtual ethernet TAP
interfaces, be aware that on a kernel with "Bridged IP/ARP packets
filtering" (CONFIG_BRIDGE_NETFILTER) enabled, by default the Netfilter
and conntrack of the host sees all the bridged IP traffic. See the
/proc/sys/net/bridge/bridge-nf-call-* sysctls to disable this.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: interfaces in /proc/net/ip_conntrack
2007-12-11 10:03 ` Martijn Lievaart
2007-12-11 11:03 ` Pascal Hambourg
@ 2007-12-11 11:36 ` Benny Amorsen
2007-12-11 12:49 ` Oscar N
2007-12-11 17:46 ` Martijn Lievaart
1 sibling, 2 replies; 9+ messages in thread
From: Benny Amorsen @ 2007-12-11 11:36 UTC (permalink / raw)
To: netfilter
Martijn Lievaart <m@rtij.nl> writes:
> Have a look at User Mode Linux (UML). It allows to run virtual
> machines with the least overhead of all virtaul machine mechanisms I
> know. I have no idea how you have to do the plumbing to get the right
> packets to the right VM, but I think it can be done.
UML isn't particularly lightweight -- it requires a kernel per name
space. OpenVZ can virtualize machines with just one kernel, but the
conntrack tables will be separate.
(At least I believe that is true, I've used OpenVZ for virtual routers
but not for virtual firewalls.)
/Benny
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: interfaces in /proc/net/ip_conntrack
2007-12-11 11:36 ` Benny Amorsen
@ 2007-12-11 12:49 ` Oscar N
2007-12-11 17:46 ` Martijn Lievaart
1 sibling, 0 replies; 9+ messages in thread
From: Oscar N @ 2007-12-11 12:49 UTC (permalink / raw)
To: Benny Amorsen; +Cc: netfilter
> Martijn Lievaart <m@rtij.nl> writes:
>
>> Have a look at User Mode Linux (UML). It allows to run virtual
>> machines with the least overhead of all virtaul machine mechanisms I
>> know. I have no idea how you have to do the plumbing to get the right
>> packets to the right VM, but I think it can be done.
>
> UML isn't particularly lightweight -- it requires a kernel per name
> space. OpenVZ can virtualize machines with just one kernel, but the
> conntrack tables will be separate.
>
> (At least I believe that is true, I've used OpenVZ for virtual routers
> but not for virtual firewalls.)
>
>
> /Benny
I've tried UML and didn't like the approach. OpenVZ seems more interesting
and I will take a look at it before I try some conntrack modifying.
Thanks for the tip benny.
/Oscar
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: interfaces in /proc/net/ip_conntrack
2007-12-11 11:36 ` Benny Amorsen
2007-12-11 12:49 ` Oscar N
@ 2007-12-11 17:46 ` Martijn Lievaart
1 sibling, 0 replies; 9+ messages in thread
From: Martijn Lievaart @ 2007-12-11 17:46 UTC (permalink / raw)
To: Benny Amorsen; +Cc: netfilter
Benny Amorsen wrote:
> Martijn Lievaart <m@rtij.nl> writes:
>
>
>> Have a look at User Mode Linux (UML). It allows to run virtual
>> machines with the least overhead of all virtaul machine mechanisms I
>> know. I have no idea how you have to do the plumbing to get the right
>> packets to the right VM, but I think it can be done.
>>
>
> UML isn't particularly lightweight -- it requires a kernel per name
> space. OpenVZ can virtualize machines with just one kernel, but the
> conntrack tables will be separate.
>
Thanks, I wasn't aware of OpenVZ, will look into that.
M4
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2007-12-11 17:46 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-12-10 17:49 interfaces in /proc/net/ip_conntrack Oscar N
2007-12-10 19:26 ` Pascal Hambourg
2007-12-10 23:36 ` Martijn Lievaart
2007-12-11 8:03 ` Oscar N
2007-12-11 10:03 ` Martijn Lievaart
2007-12-11 11:03 ` Pascal Hambourg
2007-12-11 11:36 ` Benny Amorsen
2007-12-11 12:49 ` Oscar N
2007-12-11 17:46 ` Martijn Lievaart
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox