On 9/10/07, Serge E. Hallyn <[EMAIL PROTECTED]> wrote:
>
> Perhaps the biggest upside of this approach is that it's providing
> network functionality in a way that should be much more familiar to
> network folks. As opposed to using an lsm with a new vfs interface.
Right - one of the things that
Quoting Paul Menage ([EMAIL PROTECTED]):
> On 9/10/07, Serge E. Hallyn <[EMAIL PROTECTED]> wrote:
> >
> > The only downside I see right now is what to do about a sendto() on a
> > udp socket that hasn't been bound.
>
> Maybe have additional chains in the new iptable called "sendto" and
> "recvfrom
On 9/10/07, Serge E. Hallyn <[EMAIL PROTECTED]> wrote:
>
> The only downside I see right now is what to do about a sendto() on a
> udp socket that hasn't been bound.
Maybe have additional chains in the new iptable called "sendto" and
"recvfrom" that are invoked for those operations on unbound data
Quoting Daniel Lezcano ([EMAIL PROTECTED]):
> Serge E. Hallyn wrote:
>> Quoting Daniel Lezcano ([EMAIL PROTECTED]):
>>> Serge E. Hallyn wrote:
Quoting [EMAIL PROTECTED] ([EMAIL PROTECTED]):
> From: Daniel Lezcano <[EMAIL PROTECTED]>
>
> For the moment, I only made this patch for th
Serge E. Hallyn wrote:
Quoting Daniel Lezcano ([EMAIL PROTECTED]):
Serge E. Hallyn wrote:
Quoting [EMAIL PROTECTED] ([EMAIL PROTECTED]):
From: Daniel Lezcano <[EMAIL PROTECTED]>
For the moment, I only made this patch for the RFC. It shows how simple
it is
to hook different socket syscalls. T
Quoting Daniel Lezcano ([EMAIL PROTECTED]):
> Serge E. Hallyn wrote:
>> Quoting [EMAIL PROTECTED] ([EMAIL PROTECTED]):
>>> From: Daniel Lezcano <[EMAIL PROTECTED]>
>>>
>>> For the moment, I only made this patch for the RFC. It shows how simple
>>> it is
>>> to hook different socket syscalls. This
Serge E. Hallyn wrote:
Quoting [EMAIL PROTECTED] ([EMAIL PROTECTED]):
From: Daniel Lezcano <[EMAIL PROTECTED]>
For the moment, I only made this patch for the RFC. It shows how simple it is
to hook different socket syscalls. This patch denies bind to any addresses
which are not in the container
Quoting [EMAIL PROTECTED] ([EMAIL PROTECTED]):
> From: Daniel Lezcano <[EMAIL PROTECTED]>
>
> For the moment, I only made this patch for the RFC. It shows how simple it is
> to hook different socket syscalls. This patch denies bind to any addresses
> which are not in the container IPV4 address lis
