nsjail icon indicating copy to clipboard operation
nsjail copied to clipboard

Published 20 hours ago verified publisher icon google

Support iptables-like filtering

Open sirdarckcat opened this issue 4 years ago • 4 comments

Seems like it's possible to do ip packet filtering inside network namespaces. Not sure how something like this could be implemented, so just throwing it out there as an idea.

https://github.com/deitch/ctables/blob/master/ctables https://stackoverflow.com/questions/35695840/iptables-not-working-on-macvlan-traffic-in-container

sirdarckcat avatar May 29 '20 11:05 sirdarckcat

(I was looking into this to limit the bandwidth used by the contained service)

sirdarckcat avatar May 29 '20 14:05 sirdarckcat

Maybe filtering on a syscall level could work for this, using https://github.com/google/kafel?

Otherwise I'd think you'd need to create a new virtual interface, add iptable rules, and then pass that to the jailed process.

juliangruber avatar Feb 23 '21 10:02 juliangruber

Hmm interesting. @happyCoder92 WDYT?

sirdarckcat avatar Feb 23 '21 10:02 sirdarckcat

Keep in mind that when passing a virtual interface you need to use sudo

juliangruber avatar Feb 23 '21 12:02 juliangruber