On 3/13/18 8:39 PM, Alexei Starovoitov wrote: > For our container management we've been using complicated and fragile setup > consisting of LD_PRELOAD wrapper intercepting bind and connect calls from > all containerized applications. > The setup involves per-container IPs, policy, etc, so traditional > network-only solutions that involve VRFs, netns, acls are not applicable.
Why does VRF and the cgroup option to bind sockets to the VRF not solve this problem for you? The VRF limits the source address choices.