[RFC][PATCH] IP address restricting cgroup subsystem

[Dan Smith]

GR> I have tried something similar, only with
GR> CLONE_FILES|CLONE_FS|CLONE_VM|CLONE_NEWNET, and actually creating
GR> a virtual interface and controlling socket or thread in each new
GR> network namespace.

My initial test was to create a veth pair and move one end into the
namespace during create.  That failed in the same way, so I took the
veth's out of the equation with the posted test.

GR> This scales to a couple of thousand interfaces, though interface
GR> creation takes a long time if more than 1,000 interfaces or so are
GR> created.

Yeah, just creating a bunch of pairs starts to slow down after a
hundred veth's or so.  I think that for thousands of network
namespaces, things would be pretty painful.

GR> I can send you the code if you like.

I'd like to see it.

Thanks!

-- 
Dan Smith
IBM Linux Technology Center
email: danms at us.ibm.com