[systemd-devel] systemd-nspawn and IPv6

[Kai Krakow]

Tomasz Torcz <tomek at pipebreaker.pl> schrieb:

>> Well, would that enable automatic, correcting routing between the
>> container and the host's external network? That's kinda what this all
>> is about...
> 
> If you have radvd running, it should.  By the way, speaking of NAT
> in context of IPv6 is a heresy.

Why? It's purpose here is not saving some addresses (we have many in IPv6), 
it's purpose is to have security and containment. The services provided by 
the container - at least in my project - are meant to be seen as a service 
of the host (as Lennart pointed out as a possible application in another 
post). I don't want the containers being addressable/routable from outside 
in. And putting a firewall in place to counterfeit this is just security by 
obscurity: Have one configuration problem and your firewall is gone and the 
container publicly available.

The whole story would be different if I'd setup port forwarding afterwards 
to make services from the containers available - but that won't be the case.

Each container has to be in it's own private network (on grouped into a 
private network with selected other containers). Only gateway services on 
the host system (like a web proxy) are allowed to talk to the containers.

-- 
Replies to list only preferred.