On Sun, Mar 22, 2015 at 7:17 PM, tom <zs68j...@gmail.com> wrote: > when create unprivileged LXC container as non root user, execute iptables > below failed. > > > iptables -A OUTPUT -o ethX -m owner --uid-owner ubuntu -j REJECT > > > It seems iptables with "-m owner --uid-owner {USERNAME} " only can be > executed on privileged LXC container create by root on host. > > > Not sure if it's related to LXC container, or iptables self.
A google search for "xt_owner user namespace" returns this: http://markmail.org/message/2k3y7g3sxr5rpefn (read also the previous messages in that thread), and xt_owner.c from kernel 3.19 http://lxr.free-electrons.com/source/net/netfilter/xt_owner.c Short summary: xt_owner still does not work in user namespaces, and your best bet would be to ask in netfilter list whether there will be any improvement in linux 4.x. -- Fajar _______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users