netblue30
commented
8 years ago The problem is an interface cannot belong to more than one network namespace. The feature cannot be implemented without Linux kernel modifications.
Open netblue30 opened 8 years ago
netblue30
commented
8 years ago The problem is an interface cannot belong to more than one network namespace. The feature cannot be implemented without Linux kernel modifications.
pitchforks
commented
8 years ago Is it possible to have explicit blacklisting of existing network interfaces then? This would achieve the same result if one blacklisted all interfaces except the loopback. Or is this impossible due to same Linux kernel technical restrictions, despite being worded differently?
netblue30
commented
8 years ago No, blacklisting will not work because of the way they set the namespace inside the kernel. I'll try to build a proxy and move the network traffic between the two loopback interfaces (the one on the host, and the one in the sandbox). I think it should work.
Sidnioulz
commented
8 years ago One approach could be to create a veth pair to redirect all within-sandbox traffic to the host, and use an iptables rule to route all that traffic to 127.0.0.1? Or to another specific IP/port. I do that to redirect all my sandboxes' network traffic to my host's default gateway, providing transparent networking with bandwidth control.
biergaizi
commented
6 years ago Two years later, and there's still no progress on it? I'd like to make a bitcoin donation to make this feature implemented 😆
chiraag-nataraj
commented
6 years ago As far as I know, it's been another year now @biergaizi :wink:
guillaume-uH57J9
commented
1 year ago socat to the rescue!
An alternative solution is to configure your service to be accessible via a socket file, then setup a sandbox with --net=none, and finally run socat IN the sanxbox to listen on the sandbox's loopback interface, and redirect the connection to the socket file.
If that service is torsocks, you'll need to add --whitelist=/run/tor, and run this within the sandbox:
socat TCP-LISTEN:9050,fork,bind=localhost UNIX-CONNECT:/run/tor/socks
Edit: add --whitelits mention
ssokolow
commented
6 months ago What if we just want to keep a buggy Stable Diffusion frontend from re-downloading hundreds or thousands of megabytes of data model every time it's started but still need to access the web UI it exposes over a TCP socket?
(Bear in mind these things tend to be hellishly confusing messes of pseudo-containerized Python as soon as you need to customize their behaviour beyond choosing whether to bind to localhost or listen on all interfaces.)
I've seen multiple places (eg. this Unix & Linux StackExchange question) where people want this, but nobody seems to just provide a simple "here's an example complete solution" for the approaches suggested in #3439.
rusty-snake
commented
6 months ago --dns=0.0.0.0 or --hosts-file=... can be used to stop at DNS level.ncat when using --net=none.but nobody seems to just provide a simple "here's an example complete solution"
Something as simple as
crablock --pasta-t=8080 --pasta-config-net=false -- /usr/bin/python3 -m http.server 8080
kmk3
commented
5 months ago rusty-snake
commented
5 months ago As long you do not need loopback traffic between Sandbox and host.
Currently, --net=none creates a network namespace with only a new loopback interface. Implemente a --net=local option that would create a network namespace with only the existing loopback interface. Reported on wordpress.com