Now I'm no expert on this particular area but I recall that there are now several ways to break a system up into "containers" [1] which is often used to do things like virtualisation. However, would it be possible to utilize the network "namespace" component [2] in order to break off a user's mobile broadband connection into a namespace that only their processes have access to? I'm just bringing this up because maybe the technology to do what everyone seems to agree "should" be possible already is in the kernel.
Like I said, I'm no expert but I think I'll read into it out of curiosity... just wanted to throw it out there for anyone else who might be curious about looking down this path... -Graham [1] http://lxc.sourceforge.net <http://lxc.sourceforge.net/>[2] http://lxc.sourceforge.net/network.php On 28 May 2010 17:23, Martijn Lievaart <[email protected]> wrote: > On 05/28/2010 03:46 PM, Marc Herbert wrote: > >> Le 28/05/2010 09:16, Simon Geard a écrit : >> >> >> >>> Simply because IP is not designed like this at all. NetworkManager's >>>> scope is make IP networking easy; not to re-invent the Internet. >>>> >>>> >>> Actually, couldn't something be done with Netfilter rules? The >>> connection (a VPN, say) might technically be system-wide, but with rules >>> enforcing that only applications running as a certain user could send >>> and receive packets on it? Perhaps imperfect, but a starting point... >>> >>> >> Sockets have owners, but I doubt very much you can extend that to >> packets. The "end-to-end principle" strikes again. So this rules out >> Netfilter I am afraid. >> >> >> > > Netfilter has an owner match, which does extend the owner to packets, more > or less. However, you would als have to consider routing. This also looks > possible with tc rules matching on the same netfilter match. However I > suspect this will never work satisfactorily, IP was just never designed to > do things like this. > > I do think that we will move in this general direction, but with a more > light-VM-per-user like aproach, where every user has it's own view of the > filesystem, it's own networking "view" etc. In other words, I suspect this > is much bigger than can be handled now. > > HTH, > M4 > > > _______________________________________________ > networkmanager-list mailing list > [email protected] > http://mail.gnome.org/mailman/listinfo/networkmanager-list >
_______________________________________________ networkmanager-list mailing list [email protected] http://mail.gnome.org/mailman/listinfo/networkmanager-list
