[EMAIL PROTECTED] wrote:
What is missing ?
-
The routes are not yet isolated, that implies:
- binding to another container's address is allowed
- an outgoing packet which has an unset source address can
potentially get another container's address
- an
Al Viro wrote:
On Fri, Jun 09, 2006 at 11:02:02PM +0200, [EMAIL PROTECTED] wrote:
- renaming an interface in one namespace affects everyone.
Exact. If we ensure the interface can't be renamed if used in different
namespace, is it really a problem ?
-
To unsubscribe from this list: send the
On Tue, Jun 20, 2006 at 11:21:43PM +0200, Daniel Lezcano wrote:
Al Viro wrote:
On Fri, Jun 09, 2006 at 11:02:02PM +0200, [EMAIL PROTECTED] wrote:
- renaming an interface in one namespace affects everyone.
Exact. If we ensure the interface can't be renamed if used in different
namespace, is
Al Viro wrote:
On Tue, Jun 20, 2006 at 11:21:43PM +0200, Daniel Lezcano wrote:
Al Viro wrote:
On Fri, Jun 09, 2006 at 11:02:02PM +0200, [EMAIL PROTECTED] wrote:
- renaming an interface in one namespace affects everyone.
Exact. If we ensure the interface can't be renamed if used in
On Fri, Jun 09, 2006 at 11:02:02PM +0200, [EMAIL PROTECTED] wrote:
What is missing ?
-
The routes are not yet isolated, that implies:
- binding to another container's address is allowed
- an outgoing packet which has an unset source address can
potentially get
Eric W. Biederman wrote:
Have you seen my previous work in this direction?
I know I had a much much more complete implementation. The only part
I had not completed was iptables support and that was about a days
more work.
No, I didn't see your work, is it possible to send me a pointer on
Daniel Lezcano [EMAIL PROTECTED] writes:
Eric W. Biederman wrote:
Have you seen my previous work in this direction?
I know I had a much much more complete implementation. The only part
I had not completed was iptables support and that was about a days
more work.
No, I didn't see your
My apologies for not looking at this earlier I had an email
hickup so I'm having to recreate the context from email archives,
and you didn't copy me.
Have you seen my previous work in this direction?
I know I had a much much more complete implementation. The only part
I had not completed was
The following patches create a private network namespace for use
within containers. This is intended for use with system containers
like vserver, but might also be useful for restricting individual
applications' access to the network stack.
These patches isolate traffic inside the network
