From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <netdev-owner@vger.kernel.org>
Received: from mail-pg0-f51.google.com ([74.125.83.51]:41651 "EHLO
        mail-pg0-f51.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751000AbeCNRNa (ORCPT
        <rfc822;netdev@vger.kernel.org>); Wed, 14 Mar 2018 13:13:30 -0400
Received: by mail-pg0-f51.google.com with SMTP id w17so1633480pgq.8
        for <netdev@vger.kernel.org>; Wed, 14 Mar 2018 10:13:29 -0700 (PDT)
Subject: Re: [PATCH RFC bpf-next 0/6] bpf: introduce cgroup-bpf bind, connect,
 post-bind hooks
To: Alexei Starovoitov <ast@kernel.org>, davem@davemloft.net
Cc: daniel@iogearbox.net, netdev@vger.kernel.org, kernel-team@fb.com
References: <20180314033934.3502167-1-ast@kernel.org>
From: David Ahern <dsahern@gmail.com>
Message-ID: <0edde01a-c9bb-7de2-ede1-dc52996c12c2@gmail.com>
Date: Wed, 14 Mar 2018 10:13:22 -0700
MIME-Version: 1.0
In-Reply-To: <20180314033934.3502167-1-ast@kernel.org>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: netdev-owner@vger.kernel.org
List-ID: <netdev.vger.kernel.org>

On 3/13/18 8:39 PM, Alexei Starovoitov wrote:
> For our container management we've been using complicated and fragile setup
> consisting of LD_PRELOAD wrapper intercepting bind and connect calls from
> all containerized applications.
> The setup involves per-container IPs, policy, etc, so traditional
> network-only solutions that involve VRFs, netns, acls are not applicable.

Why does VRF and the cgroup option to bind sockets to the VRF not solve
this problem for you? The VRF limits the source address choices.