[Devel] [RFC][PATCH] IP address restricting cgroup subsystem
Paul Menage
menage at google.com
Sat Jan 10 08:21:53 PST 2009
On Sat, Jan 10, 2009 at 3:20 AM, Grzegorz Nosek <root at localdomain.pl> wrote:
>
> IP address [/netmask] [port [- port]]
>
> right? Would that cover a reasonable set of use cases?
Oh, and don't forget being able to control remote addresses/ports too.
E.g. you might not care what local port/address something binds to (or
there may only be one local address anyway) but you might want to
restrict a cgroup from e.g. connecting outside your data center, etc.
(Something that I'm interested in).
> If there are
> going to be multiple addresses, we'd probably want some mechanism to
> determine which one should be used for remapping INADDR_ANY. BTW, do you
> want to restrict connect() source ports too?
Potentially, yes.
>
> The iptables interface is nice but only works with network packets and
> not sockets
But converting a socket definition into a packet header that would be
sent/received on that socket is a fairly mechanical operation, and
after that you have the entire flexibility of the iptables API
available. So the connect() operation would construct a fake packet
header and send it through the iptable associated with the current
cgroup; if the packet was accepted the operation was permitted, else
the operation was denied.
> So, are you opposed to the current implementation (single IP address) or
> to the interface (a file in cgroupfs)?
Primarily the interface - changing the code later is simple.
Paul
_______________________________________________
Containers mailing list
Containers at lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers
More information about the Devel
mailing list