Paul Menage <[email protected]> writes:
> Oh, and don't forget being able to control remote addresses/ports too. > E.g. you might not care what local port/address something binds to (or > there may only be one local address anyway) but you might want to > restrict a cgroup from e.g. connecting outside your data center, etc. > (Something that I'm interested in). If it's going to be that advanced, it will end up either like iptables or like routing tables. It is a bit much to expect normal applications to use either, but iptables is especially complicated. I am a little bit tempted by something resembling routing/rule tables, but it would obviously have to be a bit more limited. E.g. gateway addresses should not be stored there at all. There is also the classic question: What happens if you invoke a setuid or setgid executable with restrictions in effect? It is hard to guarantee that this isn't exploitable in any way. /Benny _______________________________________________ Containers mailing list [email protected] https://lists.linux-foundation.org/mailman/listinfo/containers _______________________________________________ Devel mailing list [email protected] https://openvz.org/mailman/listinfo/devel
