Serge E. Hallyn wrote:
Quoting Cedric Le Goater ([email protected]):
we could work on virtualizing the net interfaces in the host, map them to
eth0 or something in the guest and let the guest handle upper network layers ?
lo0 would just be exposed relying on skbuff tagging to discriminate traffic
between guests.
This seems to me the preferable way. We create a full virtual net
device for each new container, and fully virtualize the device
namespace.
I have a few questions about all the network isolation stuff:
* What level of isolation is wanted for the network ? network devices
? IPv4/IPv6 ? TCP/UDP ?
* How is handled the incoming packets from the network ? I mean what
will be mecanism to dispatch the packet to the right virtual device ?
* How to handle the SO_BINDTODEVICE socket option ?
* Has the virtual device a different MAC address ? How to manage it
with the real MAC address on the system ? How to manage ARP, ICMP,
multicasting and IP ?
It seems for me, IMHO that will require a lot of translation and
browsing table. It will probably add a very significant overhead.
* How to handle NFS access mounted outside of the container ?
* How to handle ICMP_REDIRECT ?
Regards
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]
