Enable IP forwarding inside an OpenVZ container but disable it on host

Question

Is it possible to enable IP forwarding inside an OpenVZ container but keep it disabled in host system?

I understand that OpenVZ containers and host share kernels, but I can use sysctl to set ip_forward to 1 or 0 separately from inside container and from host, they retains those values as well. But I also observed that even if the ip_forward values read 0 in host and 1 in container, host system is forwarding IP packets to a different network interface.

Does sharing kernel means sharing kernel parameters as well?

Answer 1

For the first question the answer is yes. For the second it's NO.
Since the introduction of namespaces some parameters differ. That's why we can have eth0 in host and container as well without name collision because network namespace is at work. sudo unshare -n -- ifconfig -a shows only lo. 'ip_forward' in container is quite possible because the ip stack in the container has been unshared from the host.