From: Dan Williams <dcbw@redhat.com>
To: Cong Wang <xiyou.wangcong@gmail.com>,
"Jason A. Donenfeld" <Jason@zx2c4.com>
Cc: Netdev <netdev@vger.kernel.org>, Mathias <mathias@hall-andersen.dk>
Subject: Re: cross namespace interface notification for tun devices
Date: Wed, 20 Sep 2017 14:57:34 -0500 [thread overview]
Message-ID: <1505937454.9403.2.camel@redhat.com> (raw)
In-Reply-To: <CAM_iQpXhjuh5NJJiAwBJG4EpkWXWz74WS7RFjt5L1mDV9nKTVw@mail.gmail.com>
On Wed, 2017-09-20 at 11:29 -0700, Cong Wang wrote:
> On Tue, Sep 19, 2017 at 2:02 PM, Jason A. Donenfeld <Jason@zx2c4.com>
> wrote:
> > On Tue, Sep 19, 2017 at 10:40 PM, Cong Wang <xiyou.wangcong@gmail.c
> > om> wrote:
> > > By "notification" I assume you mean netlink notification.
> >
> > Yes, netlink notification.
> >
> > > The question is why does the process in A still care about
> > > the device sitting in B?
> > >
> > > Also, the process should be able to receive a last notification
> > > on IFF_UP|IFF_RUNNING before device is finally moved to B.
> > > After this point, it should not have any relation to netns A
> > > any more, like the device were completely gone.
> >
> > That's very clearly not the case with a tun device. Tun devices
> > work
> > by letting a userspace process control the inputs (ndo_start_xmit)
> > and
> > outputs (netif_rx) of the actual network device. This controlling
> > userspace process needs to know when its own interface that it
> > controls goes up and down. In the kernel, we can do this by just
> > checking dev->flags&IFF_UP, and receive notifications on ndo_open
> > and
> > ndo_stop. In userspace, the controlling process looses the ability
> > to
> > receive notifications like ndo_open/ndo_stop when the interface is
> > moved to a new namespace. After the interface is moved to a
> > namespace,
> > the process will still control inputs and ouputs (ndo_start_xmit
> > and
> > netif_rx), but it will no longer receive netlink notifications for
> > the
> > equivalent of ndo_open and ndo_stop. This is problematic.
>
> Sounds like we should set NETIF_F_NETNS_LOCAL for tun
> device.
>
> What is your legitimate use case of send/receive packet to/from
> a tun device in a different netns?
One thought: run openvpn in the master netns, but put its tun0
interface into an application's netns. Per-application VPN,
essentially? Or maybe that's not how people do this kind of thing, but
it's a thought.
Dan
next prev parent reply other threads:[~2017-09-20 19:57 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-18 18:47 cross namespace interface notification for tun devices Jason A. Donenfeld
2017-09-19 1:24 ` Jason A. Donenfeld
2017-09-19 20:40 ` Cong Wang
2017-09-19 21:02 ` Jason A. Donenfeld
2017-09-20 18:29 ` Cong Wang
2017-09-20 19:57 ` Dan Williams [this message]
2017-09-20 20:13 ` Jason A. Donenfeld
2017-10-02 9:32 ` Nicolas Dichtel
2017-10-02 11:11 ` Jason A. Donenfeld
2017-10-02 12:06 ` Nicolas Dichtel
2017-10-03 11:53 ` [PATCH net-next] dev: advertise the new nsid when the netns iface changes Nicolas Dichtel
2017-10-05 1:05 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1505937454.9403.2.camel@redhat.com \
--to=dcbw@redhat.com \
--cc=Jason@zx2c4.com \
--cc=mathias@hall-andersen.dk \
--cc=netdev@vger.kernel.org \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.