On 10/19/2013 01:21 AM, Eric W. Biederman wrote:
I am coming to this late. But two concrete suggestions.
1) process groups and sessions don't change as frequently as pids.
2) It is possible to put a set of processes in their own network
namespace and pipe just the packets you want those processes to
use into that network namespace. Using an ingress queueing filter
makes that process very efficient even if you have to filter by port.
Actually in our case we're filtering outgoing traffic, based on which
local socket that originated from; so you wouldn't need all of that
construct. Also, you wouldn't even need to have an a-prio knowledge of
the application internals regarding their use of particular use of ports
or protocols. I don't think that such a setup will have the same
efficiency, ease of use, and power to distinguish the application the
traffic came from in such a lightweight, protocol independent and easy way.
--
To unsubscribe from this list: send the line "unsubscribe cgroups" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
