lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <0edde01a-c9bb-7de2-ede1-dc52996c12c2@gmail.com>
Date:   Wed, 14 Mar 2018 10:13:22 -0700
From:   David Ahern <dsahern@...il.com>
To:     Alexei Starovoitov <ast@...nel.org>, davem@...emloft.net
Cc:     daniel@...earbox.net, netdev@...r.kernel.org, kernel-team@...com
Subject: Re: [PATCH RFC bpf-next 0/6] bpf: introduce cgroup-bpf bind, connect,
 post-bind hooks

On 3/13/18 8:39 PM, Alexei Starovoitov wrote:
> For our container management we've been using complicated and fragile setup
> consisting of LD_PRELOAD wrapper intercepting bind and connect calls from
> all containerized applications.
> The setup involves per-container IPs, policy, etc, so traditional
> network-only solutions that involve VRFs, netns, acls are not applicable.

Why does VRF and the cgroup option to bind sockets to the VRF not solve
this problem for you? The VRF limits the source address choices.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ