Dave Hansen wrote: > Quoting Ted ([EMAIL PROTECTED]): > >>Can anyone point me to a good source of information on namespaces in >>general and network namespaces specifically. Are network namespaces >>something that could be utilized through xinetd to get polyinstantiated >>port functionality? > > > I was just talking to Serge about this on IRC a bit. I think network > namespaces might do some of what you want. > > Note that this is coming from somebody (me) that has never written a > line of networking code in his life. So, don't pay too much attention. > Just brainstorming. > > One of the important things that they give you is the ability to have > multiple stupid daemons listening on "*:80". Each daemon thinks they > "own" that port. However, the network namespace patches make sure that > such a daemon doesn't receive any packets not meant for an IP owned by > that daemon. > > So, if you added network namespaces with a rewriting netfilter rule that > would mangle destination addresses to match the IP address of a > containerized daemon, I _think_ you might be able to get what you want. > > So, > > 1. packet comes in for port 80 > 2. packet is tagged by secmark > 3. packet matches netfilter rule, is redirected to a _specific_ IP > 4. packet reaches containerized daemon listening on port 80 >
My only concern with something like this is that it would probably wreak havoc with things that do checksums/HMACs/etc with the IP addresses. I think we should try to avoid packet managling as much as possibile; it tends to introduce more problems than it solves (NAT anyone?). However, it may be that someone has already thought of that and found a way around it? -- paul moore linux security @ hp -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
