On Sat, Jan 10, 2009 at 3:20 AM, Grzegorz Nosek <root@xxxxxxxxxxxxxx> wrote: > > IP address [/netmask] [port [- port]] > > right? Would that cover a reasonable set of use cases? Oh, and don't forget being able to control remote addresses/ports too. E.g. you might not care what local port/address something binds to (or there may only be one local address anyway) but you might want to restrict a cgroup from e.g. connecting outside your data center, etc. (Something that I'm interested in). > If there are > going to be multiple addresses, we'd probably want some mechanism to > determine which one should be used for remapping INADDR_ANY. BTW, do you > want to restrict connect() source ports too? Potentially, yes. > > The iptables interface is nice but only works with network packets and > not sockets But converting a socket definition into a packet header that would be sent/received on that socket is a fairly mechanical operation, and after that you have the entire flexibility of the iptables API available. So the connect() operation would construct a fake packet header and send it through the iptable associated with the current cgroup; if the packet was accepted the operation was permitted, else the operation was denied. > So, are you opposed to the current implementation (single IP address) or > to the interface (a file in cgroupfs)? Primarily the interface - changing the code later is simple. Paul _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers
