On Thu, Jan 15, 2009 at 7:35 AM, Grzegorz Nosek <root@xxxxxxxxxxxxxx> wrote: > > I guess the net result would comprise two parts: > - iptable_control, possibly based on Paul's code (hook > socket/connect/bind/accept calls into iptables) > - ipt_cgroup, matching the cgroup the requesting process is a member > of (I'd also need a target to remap the source address but it would > probably a minor thing to do) > Right. > One thing I'm not quite sure about is matching the cgroups. Should I > attempt to match the cgroup path? Or some per-cgroup cookie stored in a > virtual file? Both don't seem too pretty, need help :/ Use an approach similar to the net_cls cgroup subsystem in net/sched/cls_cgroup.c. (Or possibly just expose and reuse the same id). Paul _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers