Validate whether process belongs to the container's NetNS

[naoki9911]

bypass4netns handles all sockets in the container NetNS.
However, in the nested NetNS environment, it wrongly bypasses sockets in the nested NetNS.
It causes the following issues.
#65
#66

This patch makes bypass4netns ignore any sockets created in non-container NetNS including nested ones.

[AkihiroSuda]

Thank you, but this still does not seem to fix:

• [Usernetes] kube-apiserver fails to connect to etcd: dial tcp 127.0.0.1:2379: connect: connection refused #65

I also wonder if this PR disables the entire acceleration for connect(2)?

[AkihiroSuda]

For #65, this seems to work as a workaround

• Add --ignore-bind (bind is already fast without bypassing) #68

[naoki9911]

this still does not seem to fix

Thanks, the issue seems to stem from other reasons.
I'm going to investigate this issue with Usernetes environment.

this PR disables the entire acceleration for connect(2)?

Yes, this disables entire acceleration including connect(2) and bind(2) with processes in nested NetNS.
Enabling acceleration in nested NetNS can cause unexpected communication, and it actually allows processes to communicate with external endpoints without creating veth or configuring IP masquerade in nested NetNS.
We need to consider whether this behavior is acceptable or not.

[AkihiroSuda]

At least connect() to the Internet should still be accelerated even with nested netns.
--ignore-bind (#68) with ignore-list seems to work.
Let me know if we can safely merge #68.