Open netblue30 opened 8 years ago
The problem is an interface cannot belong to more than one network namespace. The feature cannot be implemented without Linux kernel modifications.
Is it possible to have explicit blacklisting of existing network interfaces then? This would achieve the same result if one blacklisted all interfaces except the loopback. Or is this impossible due to same Linux kernel technical restrictions, despite being worded differently?
No, blacklisting will not work because of the way they set the namespace inside the kernel. I'll try to build a proxy and move the network traffic between the two loopback interfaces (the one on the host, and the one in the sandbox). I think it should work.
One approach could be to create a veth pair to redirect all within-sandbox traffic to the host, and use an iptables rule to route all that traffic to 127.0.0.1? Or to another specific IP/port. I do that to redirect all my sandboxes' network traffic to my host's default gateway, providing transparent networking with bandwidth control.
Two years later, and there's still no progress on it? I'd like to make a bitcoin donation to make this feature implemented 😆
As far as I know, it's been another year now @biergaizi :wink:
socat to the rescue!
An alternative solution is to configure your service to be accessible via a socket file, then setup a sandbox with --net=none, and finally run socat IN the sanxbox to listen on the sandbox's loopback interface, and redirect the connection to the socket file.
If that service is torsocks, you'll need to add --whitelist=/run/tor, and run this within the sandbox:
socat TCP-LISTEN:9050,fork,bind=localhost UNIX-CONNECT:/run/tor/socks
Edit: add --whitelits mention
What if we just want to keep a buggy Stable Diffusion frontend from re-downloading hundreds or thousands of megabytes of data model every time it's started but still need to access the web UI it exposes over a TCP socket?
(Bear in mind these things tend to be hellishly confusing messes of pseudo-containerized Python as soon as you need to customize their behaviour beyond choosing whether to bind to localhost or listen on all interfaces.)
I've seen multiple places (eg. this Unix & Linux StackExchange question) where people want this, but nobody seems to just provide a simple "here's an example complete solution" for the approaches suggested in #3439.
--dns=0.0.0.0
or --hosts-file=...
can be used to stop at DNS level.ncat
when using --net=none
.but nobody seems to just provide a simple "here's an example complete solution"
Something as simple as
crablock --pasta-t=8080 --pasta-config-net=false -- /usr/bin/python3 -m http.server 8080
As long you do not need loopback traffic between Sandbox and host.
Currently, --net=none creates a network namespace with only a new loopback interface. Implemente a --net=local option that would create a network namespace with only the existing loopback interface. Reported on wordpress.com