On Aug 20, 2013 11:20 AM, "Michał Górny" <mgo...@gentoo.org> wrote: > > Dnia 2013-08-20, o godz. 11:04:35 > Alexis Ballier <aball...@gentoo.org> napisał(a): > > > On Tue, 20 Aug 2013 12:26:03 +0200 > > Michał Górny <mgo...@gentoo.org> wrote: > > > > > > 2. FEATURES=network-sandbox > > > > > > > does distcc work with this ? > > You could say that. It just can't connect to any other host :). > > We may try to handle this somehow but I can't immediately think of any > sane way of 'escaping' the sandbox.
You could do it the same way as LXC does, with a virtual interface which is then NAT-ed to the real network interface, but I'm not sure I'd consider this sane. The overhead required to set this up on every execution of gcc, let alone the modifications needed for NAT, pretty much makes rules this out completely. You might be able to exploit iptables and ip6tables to allow only distcc to communicate out, but that's still painful and is a hack at best. -Doug
