1715751658 J * Ghislain ~ghislain@adsl2.aqueos.com
1715759173 M * torrunes 20 years and counting here. We could move to lxc, but having grown to be familiar with vs, it is really good to be able to continue. Re features; if network namespaces works just as well, that is not a problem. Accounting: Does not use.
1715759217 M * torrunes our main problem is the need to use newer kernels to support newer hardware than what works with 4.9.
1715759291 M * torrunes if there are any patches for newer kernels, we of course volunteer to test. :)
1715760320 M * Guy- torrunes: network namespaces don't work just as well; they're more complicated and you can't set up networking to work *exactly* the way it does with vserver
1715760353 M * Guy- for a while I thought ipvlan would be a work-alike solution, but no
1715765090 M * torrunes Guy: Ok, thanks
1715766044 M * Bertl macvlan works quite nice for guest systems when they get a dedicated 'interface'/ip
1715766131 M * Guy- yes, but also no -- there are issues talking to the host, and/or with the host talking to the guests
1715766182 M * Bertl correct, it is more a 'dedicated interface' thing
1715766224 M * Guy- (it's the same with ipvlan)
1715766265 M * Bertl but it works if you add a macvlan bridge to the mix
1715766305 M * Guy- I experimented a lot with all this back in January and even with the bridge it wasn't perfect, but I don't remember anymore what the problem was
1715766350 M * Guy- (I remember it was also necessary to set up a macvlan interface on the host; and maybe the issue was that tickets from one guest to the other didn't hit iptables NAT rules set on the host?)
1715766449 M * Guy- ah, I found my notes on what was wrong with ipvlan
1715766467 M * Guy- * External→guest traffic only hits host netfilter rules (even in the l3s mode) if the guest's ipvlan interface is attached to a bridge interface on the host, not a plain interface.
1715766480 M * Guy- * Guest→guest traffic apparently never hits the host netfilter rules, not even the raw table.
1715766491 M * Guy-  * Not even when the br_netfilter module is loaded.
1715766498 M * Guy-  * Not even after ebtables -t broute -A BROUTING -j DROP, which normally causes all traffic that would ordinarily be bridged to be routed instead.
1715768438 M * Bertl I just tested this and I can easily block the traffic between two macvlan guests on the host with just the ebtables forward policy
1715768521 M * Bertl anyway, I totally agree that macvlan is not a one-to-one replacement for the ip sharing and ip isolation Linux-Vserver does
1715768984 M * Guy- what would have been important to me was DNAT, not filtering
1715769071 M * Bertl yeah, that might be trickier ...
1715779950 Q * Ghislain Ping timeout: 480 seconds
1715780040 J * Ghislain ~ghislain@adsl2.aqueos.com
1715785473 Q * Ghislain Ping timeout: 480 seconds
1715785617 J * Ghislain ~ghislain@adsl2.aqueos.com
1715789431 Q * Ghislain Ping timeout: 480 seconds
1715790113 J * Ghislain ~ghislain@93-116-190-109.dsl.ovh.fr
1715811082 Q * Ghislain