Re: [PATCH v2 net-next] Introduce a sysctl that modifies the value of PROT_SOCK.

On Thu, Jan 12, 2017 at 09:22:13AM -0500, David Miller wrote: > From: Krister Johansen > > The use case for this change is to allow containerized processes to bind > > to priviliged ports, but prevent them from ever being allowed to modify > > their container's network

Re: [PATCH v2 net-next] Introduce a sysctl that modifies the value of PROT_SOCK.

On Thu, Jan 12, 2017 at 06:39:57AM -0800, Eric Dumazet wrote: > On Wed, 2017-01-11 at 22:52 -0800, Krister Johansen wrote: > > Add net.ipv4.ip_unprotected_port_start, which is a per namespace sysctl > > that denotes the first unprotected inet port in the namespace. To > > disable all protected

Re: [PATCH v2 net-next] Introduce a sysctl that modifies the value of PROT_SOCK.

On Wed, 2017-01-11 at 22:52 -0800, Krister Johansen wrote: > Add net.ipv4.ip_unprotected_port_start, which is a per namespace sysctl > that denotes the first unprotected inet port in the namespace. To > disable all protected ports set this to zero. It also checks for > overlap with the local

Re: [PATCH v2 net-next] Introduce a sysctl that modifies the value of PROT_SOCK.

From: Krister Johansen Date: Wed, 11 Jan 2017 22:52:25 -0800 > Add net.ipv4.ip_unprotected_port_start, which is a per namespace sysctl > that denotes the first unprotected inet port in the namespace. To > disable all protected ports set this to zero. It also checks for

[PATCH v2 net-next] Introduce a sysctl that modifies the value of PROT_SOCK.

Add net.ipv4.ip_unprotected_port_start, which is a per namespace sysctl that denotes the first unprotected inet port in the namespace. To disable all protected ports set this to zero. It also checks for overlap with the local port range. The protected and local range may not overlap. The use