On Wed, Mar 14, 2018 at 10:13:22AM -0700, David Ahern wrote: > On 3/13/18 8:39 PM, Alexei Starovoitov wrote: > > For our container management we've been using complicated and fragile setup > > consisting of LD_PRELOAD wrapper intercepting bind and connect calls from > > all containerized applications. > > The setup involves per-container IPs, policy, etc, so traditional > > network-only solutions that involve VRFs, netns, acls are not applicable. > > Why does VRF and the cgroup option to bind sockets to the VRF not solve > this problem for you? The VRF limits the source address choices.
answered in reply to Eric. Pls follow up there if it's still not clear.
