On Sat, Sep 09, 2006 at 11:57:24AM +0400, Dmitry Mishin wrote: > On Friday 08 September 2006 22:11, Herbert Poetzl wrote: > > actually the light-weight ip isolation runs perfectly > > fine _without_ CAP_NET_ADMIN, as you do not want the > > guest to be able to mess with the 'configured' ips at > > all (not to speak of interfaces here)
> It was only an example. I'm thinking about how to implement flexible > solution, which permits light-weight ip isolation as well as > full-fledged netwrok virtualization. Another solution is to split > CONFIG_NET_NAMESPACE. Is it good for you? well, I think it would be best to have both, as they are complementary to some degree, and IMHO both, the full virtualization _and_ the isolation will require a separate namespace to work, I also think that limiting the isolation to something very simple (like one IP + network or so) would be acceptable for a start, because especially multi IP or network range checks require a little more efford to get them right ... I do not think that folks would want to recompile their kernel just to get a light-weight guest or a fully virtualized one best, Herbert > -- > Thanks, > Dmitry. - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
