This shows you the differences between two versions of the page.
Both sides previous revision Previous revision | Next revision Both sides next revision | ||
docs:lxc [2013-11-24 16:18] glen [loginuid] |
docs:lxc [2013-12-09 15:33] glen load iptables from hook |
||
---|---|---|---|
Line 117: | Line 117: | ||
- you can't filter it from host's firewall | - you can't filter it from host's firewall | ||
- you HAVE to set mac. If not - on every container start you'll have different one (your router will not pass the traffic). | - you HAVE to set mac. If not - on every container start you'll have different one (your router will not pass the traffic). | ||
+ | - iptables is initialized from lxc.hook.pre-mount hook (ran in the container's namespace and having macvlan interface visible) | ||
+ | |||
first boot with ''hwaddr'' line disabled, look what the random address was assigned, set it in config. | first boot with ''hwaddr'' line disabled, look what the random address was assigned, set it in config. | ||
Line 135: | Line 137: | ||
lxc.network.ipv4 = 192.168.2.160/23 | lxc.network.ipv4 = 192.168.2.160/23 | ||
lxc.network.ipv4.gateway = 192.168.2.1 | lxc.network.ipv4.gateway = 192.168.2.1 | ||
+ | |||
+ | lxc.hook.pre-mount = /sbin/service iptables start | ||
+ | lxc.cap.drop = net_admin | ||
</file> | </file> |