From: David Ahern <d...@cumulusnetworks.com> Date: Thu, 1 Dec 2016 08:48:02 -0800
> The recently added VRF support in Linux leverages the bind-to-device > API for programs to specify an L3 domain for a socket. While > SO_BINDTODEVICE has been around for ages, not every ipv4/ipv6 capable > program has support for it. Even for those programs that do support it, > the API requires processes to be started as root (CAP_NET_RAW) which > is not desirable from a general security perspective. > > This patch set leverages Daniel Mack's work to attach bpf programs to > a cgroup to provide a capability to set sk_bound_dev_if for all > AF_INET{6} sockets opened by a process in a cgroup when the sockets > are allocated. ... Series applied, thanks David.