[systemd-devel] systemd-nspawn and IPv6
Lennart Poettering
lennart at poettering.net
Mon Apr 27 12:45:01 PDT 2015
On Mon, 27.04.15 20:17, Kai Krakow (hurikhan77 at gmail.com) wrote:
> Tomasz Torcz <tomek at pipebreaker.pl> schrieb:
>
> >> Well, would that enable automatic, correcting routing between the
> >> container and the host's external network? That's kinda what this all
> >> is about...
> >
> > If you have radvd running, it should. By the way, speaking of NAT
> > in context of IPv6 is a heresy.
>
> Why? It's purpose here is not saving some addresses (we have many in IPv6),
> it's purpose is to have security and containment. The services provided by
> the container - at least in my project - are meant to be seen as a service
> of the host (as Lennart pointed out as a possible application in another
> post). I don't want the containers being addressable/routable from outside
> in. And putting a firewall in place to counterfeit this is just security by
> obscurity: Have one configuration problem and your firewall is gone and the
> container publicly available.
>
> The whole story would be different if I'd setup port forwarding afterwards
> to make services from the containers available - but that won't be
> the case.
Sidenote: systemd-nspawn already covers that for ipv4: use the --port=
switch (or -p).
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list