Open main menu

OpenVZ Virtuozzo Containers Wiki β

Changes

Source based routing

2,072 bytes added, 18:33, 16 December 2013
no edit summary
Sometimes you have more than one router in your network, and want different [[container]]s to use different routers. For that, Other times you may have a single HN with IP addresses on different networks and want to assign containers addresses from those networks. Lets say you have a HN with an IP address in network 192.168.100.0/24 (192.168.100.10) and an IP address in 192.168.200.0 (192.168.200.10). Maybe those addresses are on different VLANs. Maybe one is an internal network and the other faces the wider internet. Maybe you have 10 different networks assigned to the HN. It does not matter as long as there is a gateway on each of those networks. In our example we will assume the gateways are 192.168.100.1 and 192.168.200.1. You want any container assigned an address in the 192.168.100.0/24 network to use 192.168.100.1 and any container assigned an address in the 192.168.200.0/24 network to use 192.168.200.1. By default the network traffic coming from a container will use the default gateway on the HN to reach the rest of the world. If we want our containers to use the gateways on their respective networks we need to set up configure source-based routing on . This involves creating an additional routing table to redirect the host systemtraffic.  For example:
<pre>
# /sbin/ip rule add from $IP 192.168.100.0/24 table $TBL10000# /sbin/ip route add default dev $ETH via $GW throw 192.168.100.0/24 table $TBL10000# /sbin/ip route add $NET dev $ETH default via 192.168.100.1 table $TBL10000</pre>
The first line adds a routing rule. This rule tells the system to use an alternate routing table when trying to route packets from a certain source. In this case we are telling the system that if a packet originates from a 192.168.100.0/24 address we should use routing table 10000. The table number is unique and simply must be an unused table number from your system. I tend to start at 10000, but you can start your number wherever is convenient. To see a list of tables in use you can use:
 
<pre>
# /sbin/ip rule list
</pre>
where* <code>$IP</code> Next we add two routing rules to table 10000. The first one is an IP a throw rule. A throw rule merely tells the system to stop processing the current table if the destination address which should use non-default gateway. You can also use netmask here, e.g. <code>10.9.8.0/24</code> will mean that all containers with addresses like 10matches the criteria provided.9.8.x This will be routed through allow the given gateway.* <code>$NET</code> is an IP network which should be routed straight, that is, not through host system and the gatewayVPSs to continue to reach other systems on our 192. E168.g. <code>10.9.8100.0/24</code>.* <code>$ETH</code> is the network interface without trying to route to, e.g. <code>eth0</code>.* <code>$GW</code> is a use the default gateway for this IP addresswe provide.* <code>$TBL</code> is any free table number, I use numbers from 6 upwards. Note And the second rule provides that tables 250-255 are usually reserved (see <code>/etc/iproute2/rt_tables</code>)default gateway.
Note that every new non-standard gateway will require another table number.Now all we need to do is repeat this for our second network:
It is likely that your hardware node uses same table to be accessible via both links, not just the link where it's default gateway points. In this case hardware node will not be able to communicate with container. To fix that one needs to add this route into table $TBL
<pre>
# /sbin/ip rule add from 192.168.200.0/24 table 10001# /sbin/ip route add throw 192.168.200.0/24 table 10001# /sbin/ip route add default via 192.168.200.1 table $TBL "$IP" dev venet0 scope link10001
</pre>
The Here we have changed the networks in the rule and routes and used a different table number. Everything else stays the same . You can, of course, as as many complex routes are added into 'mainto a particular table as you like. If you want to allow a container in the 192.168.100.0/24 network to reach the 192.168.200.0/24 network without using the gateway, you can add another throw rule and allow the HN' s default routing table to take effect: <pre># /sbin/ip route add throw 192.168.200.0/24 table by 10000</pre> A previous version of this page suggested adding an additional route in order to allow the HN to contact the container. Indeed this would be required if we did not provide the throw rule, but maintaining such a configuration requires adding new rules for every container. Using <code>vzctl set <CTIDctid> --ipadd <$IPip></code>adds these rules to the main routing table by default, but not our custom routing table.Similar routes should The configuration here only requires rules to be added for containers modified when changes are made to communicate the networks, not each othercontainer.
For more details on routing rules, see <code>man ip</code>.