On Friday 08 September 2006 22:11, Herbert Poetzl wrote: > actually the light-weight ip isolation runs perfectly > fine _without_ CAP_NET_ADMIN, as you do not want the > guest to be able to mess with the 'configured' ips at > all (not to speak of interfaces here) It was only an example. I'm thinking about how to implement flexible solution, which permits light-weight ip isolation as well as full-fledged netwrok virtualization. Another solution is to split CONFIG_NET_NAMESPACE. Is it good for you? -- Thanks, Dmitry.