On 1/24/17 2:24 PM, Andy Lutomirski wrote: > I was hoping for an actual likely use case for the bpf hooks to be run > in all namespaces. You're arguing that iproute2 can be made to work > mostly okay if bpf hooks can run in all namespaces, but the use case > of intentionally making sk_bound_dev_if invalid across all namespaces > seems dubious.
you can use the bpf hook to deny socket create based on family and/or protocol.
