bypass4netns is as fast as --net=host and almost as secure as traditional slirp4netns.
The current version of bypass4netns needs to be used in conjunction with slirp4netns, however, future version may work without slirp4netns.
The project name is still subject to change.
Workload: iperf3 -c HOST_IP from podman run
--net=host(insecure): 57.9 Gbps- bypass4netns: 56.5 Gbps
- slirp4netns: 7.56 Gbps
To be documented. See the code :)
- kernel >= 5.9
- crun >= 0.15
- libseccomp >= 2.5
- Rootless Docker or Rootless Podman
$ LIBSECCOMP_PREFIX=/opt/libseccomp ./make.sh$ ./bin/bypass4netns$ podman run -it --rm --runtime $(pwd)/test/crun-bypass4netns --security-opt seccomp=$(pwd)/test/seccomp.json alpineAccesses to host abstract sockets and host loopback IPs (127.0.0.0/8) from containers are designed to be rejected.
However, it is probably possible to connect to host loopback IPs by exploiting TOCTOU
of struct sockaddr * pointers.
- Stop hard-coding
docker network createCIDR (172.0.0.0/8) andpodman network createCIDR (10.0.0.0/8) - Accelerate port forwarding (
docker run -pandpodman run -p) as well - Rewrite in Go, perhaps