Feature request: block access to local network

[gcampax]

Applications that legitimately need network access might exploit servers listening on the local network (link-local, loopback, or private IP ranges), which often do not have any authentication, or have insufficient authentication. One example is the EC2 metadata API, which exposes secrets without authentication.

It would be very useful to block connections to these IPs entirely. One way I think is to set up a network namespace, a NAT-ed tunnel device and a set of iptables rules, but it might be simpler to use seccomp and block all IP addresses in the private range in the connect() syscall.

[gasinvein]

One way I think is to set up a network namespace, a NAT-ed tunnel device and a set of iptables rules

Unprivileged user on the host won't be able to set up NAT on the host side of the tunnel/veth pair. However, userspace network stack could help achieving the same goal, see #392