1 |
On Aug 20, 2013 11:20 AM, "Michał Górny" <mgorny@g.o> wrote: |
2 |
> |
3 |
> Dnia 2013-08-20, o godz. 11:04:35 |
4 |
> Alexis Ballier <aballier@g.o> napisał(a): |
5 |
> |
6 |
> > On Tue, 20 Aug 2013 12:26:03 +0200 |
7 |
> > Michał Górny <mgorny@g.o> wrote: |
8 |
> > > |
9 |
> > > 2. FEATURES=network-sandbox |
10 |
> > > |
11 |
> > |
12 |
> > does distcc work with this ? |
13 |
> |
14 |
> You could say that. It just can't connect to any other host :). |
15 |
> |
16 |
> We may try to handle this somehow but I can't immediately think of any |
17 |
> sane way of 'escaping' the sandbox. |
18 |
|
19 |
You could do it the same way as LXC does, with a virtual interface which is |
20 |
then NAT-ed to the real network interface, but I'm not sure I'd consider |
21 |
this sane. The overhead required to set this up on every execution of gcc, |
22 |
let alone the modifications needed for NAT, pretty much makes rules this |
23 |
out completely. You might be able to exploit iptables and ip6tables to |
24 |
allow only distcc to communicate out, but that's still painful and is a |
25 |
hack at best. |
26 |
|
27 |
-Doug |