[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <0edde01a-c9bb-7de2-ede1-dc52996c12c2@gmail.com>
Date: Wed, 14 Mar 2018 10:13:22 -0700
From: David Ahern <dsahern@...il.com>
To: Alexei Starovoitov <ast@...nel.org>, davem@...emloft.net
Cc: daniel@...earbox.net, netdev@...r.kernel.org, kernel-team@...com
Subject: Re: [PATCH RFC bpf-next 0/6] bpf: introduce cgroup-bpf bind, connect,
post-bind hooks
On 3/13/18 8:39 PM, Alexei Starovoitov wrote:
> For our container management we've been using complicated and fragile setup
> consisting of LD_PRELOAD wrapper intercepting bind and connect calls from
> all containerized applications.
> The setup involves per-container IPs, policy, etc, so traditional
> network-only solutions that involve VRFs, netns, acls are not applicable.
Why does VRF and the cgroup option to bind sockets to the VRF not solve
this problem for you? The VRF limits the source address choices.
Powered by blists - more mailing lists