| |||||||||||||
Namespaces in operation, part 1: namespaces overviewNamespaces in operation, part 1: namespaces overviewPosted Jan 4, 2013 11:53 UTC (Fri) by Fats (subscriber, #14882)Parent article: Namespaces in operation, part 1: namespaces overview
What is not clear to me is if the network namespaces also abstracts the firewall; e.g. is it possible to have separate firewall rules in each of the network namespaces or is OpenVZ still needed for that ?
(Log in to post comments)
Namespaces in operation, part 1: namespaces overview Posted Jan 4, 2013 15:16 UTC (Fri) by dskoll (subscriber, #1630) [Link] I believe you can have separate iptables rules in each namespace. I'm running an LXC container and it has it's own view of iptables separate from the host system.
Namespaces in operation, part 1: namespaces overview Posted Jan 4, 2013 18:56 UTC (Fri) by luto (subscriber, #39314) [Link]
Doing this for a firewall would get messy -- a firewall thinks about packets, not endpoints.
If the kernel had programmable policy for what tasks could listen, accept, and connect on which sockets to which endpoints, on the other hand, firewalls could (on non-routers, anyway) go away and everything would get simpler and faster.
And no, selinux doesn't count in my book. Try actually programming the policy.
Namespaces in operation, part 1: namespaces overview Posted Jan 4, 2013 20:56 UTC (Fri) by ebiederm (subscriber, #35028) [Link]
Each network namespace is a logically a separate networking stack, with separate addresses, separate firewall rules, separate qos policies etc.
Network devices and sockets belong to a particular network namespace and everything else figures out which network namespace you are talking about from the socket or network device.
|
|||||||||||||