Quoting Grzegorz Nosek (root@xxxxxxxxxxxxxx): > This is a very simple cgroup subsystem to restrict IP addresses used > by member processes. Currently it is limited to IPv4 only but IPv6 (or > other protocols) should be easy to implement. > > IP addresses are write-once (via /cgroup/.../ipaddr.ipv4 in dotted-quad > format) and are inherited by descendant cgroups, so a process once > restricted should never be able to get rid of the limits. Any address > may be specified in multiple cgroups. No verification is done to ensure > the addresses are actually configured on the machine, which has its > advantages (may add the addresses later) and disadvantages (if you enter > the wrong address, the cgroup will be effectively cut off from the > network). > > Whenever a process inside a restricted cgroup calls bind(2), the address > is checked like this: > - INADDR_LOOPBACK is explicitly allowed (a special case) > - INADDR_ANY is remapped to _the_ IP address > - _the_ IP address is passed through unharmed > - everything else causes -EPERM > > When a process calls connect(2), this subsystem calls bind(_the_IP_) > quietly behind its back, while preserving the original bound port (if > any). > > Rationale (or when/why would you want it): > The use case for ipaddr_cgroup doesn't overlap with network namespaces, > which also allow IP address restrictions, because it aims to be much > lighter due to its limited scope (hopefully able to easily support > hundreds or possibly thousands of distinct cgroups). It does not attempt > to hide the existence of other IP addresses from the user. Have you run a test, and found that in fact a network namespace is too heavyweight to do so? If so, some numbers here would be far more pursuasive. (Mind you I've written a few version of this - based on LSM - myself in the past, but that was before network namespaces existed) -serge _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers