Herbert Poetzl wrote:
On Mon, Sep 11, 2006 at 04:40:59PM +0200, Daniel Lezcano wrote:
I am currently working on this and I am finishing a prototype bringing
isolation at the ip layer. The prototype code is very closed to
Andrey's patches at TCP/UDP level. So the next step is to merge the
prototype code with the existing network namespace layer 2 isolation.
you might want to take a look at the current Linux-VServer
implementation for the network isolation too, should be
quite similar to Andrey's approach, but maybe you can
gather some additional information from there
ok, thanks. I will.
IHMO, the solution of spliting CONFIG_NET_NS into CONFIG_L2_NET_NS
and CONFIG_L3_NET_NS is for me not acceptable because you will need
to recompile the kernel. The proper way is certainly to have a
specific flag for the unshare, something like CLONE_NEW_L2_NET and
CLONE_NEW_L3_NET for example.
I completely agree here, we need a separate namespace
for that, so that we can combine isolation and virtualization
as needed, unless the bind restrictions can be completely
expressed with an additional mangle or filter table (as
was suggested)
What is the bind restriction ? Do you want to force binding to a
specific source address ?
-- Daniel
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
