On Thu, Apr 20, 2017 at 10:31:33AM -0700, Joe Smith wrote: > On Wed, Apr 19, 2017 at 9:58 AM, Stephen Brennan <stephen@xxxxxxxxxx> wrote: [snip] > I understand the iptables solution. The namespace solution seems > restrictive, It depends on how you set it up. If you put your only network interface within this namespace, then yes, it is a bit restrictive. But if you were to set up a veth pair, put one end into the namespace and the other in your default namespace, and then configure NAT so traffic from the veth gets routed out properly, then everything would still share one IP address. Yes, this is just as much work as it sounds like, so I can understand why it doesn't sound like a good idea! > it will exclusively allow the IP address to be used in > the namespace that it is hosted in and there is no control over the > port. You can control the port using iptables within the namespace. At that point, it's a simple firewall rule that says "drop any traffic that isn't on this port". Since no other processes are in the namespace, it only affects the processes you want to restrict. > So if it is OK to dedicate an IP address to a namepsace than > fine but it still does not solve the port issue and iptables will have > to be used. So why not just use ipatbles ? The iptables -m owner solution is much simpler, so yeah, probably just use that. I came up with the network namespace solution because I've recently been doing *a lot* of work using them. When all you have is a hammer, everything looks like a nail! _______________________________________________ Kernelnewbies mailing list Kernelnewbies@xxxxxxxxxxxxxxxxx https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
