From: Herbert Poetzl <herbert@13thfloor.at>
To: dlezcano@fr.ibm.com
Cc: containers@lists.osdl.org, netdev@vger.kernel.org
Subject: Re: [patch 00/12] net namespace : L3 namespace - introduction
Date: Sat, 20 Jan 2007 05:48:12 +0100 [thread overview]
Message-ID: <20070120044812.GA6123@MAIL.13thfloor.at> (raw)
In-Reply-To: <20070119154714.439706567@localhost.localdomain>
On Fri, Jan 19, 2007 at 04:47:14PM +0100, dlezcano@fr.ibm.com wrote:
> This patchset provide a network isolation similar at what
> Linux-Vserver provides. It is based on the L2 namespaces and relies on
> the mechanisms provided by the namespace. This L3 namespaces does not
> aim to bring full virtualization for the network, it provides an IP
> isolation which can be reused for Linux-Vserver, jailed application or
> application containers.
>
> A L3 namespace are always L2 s' childs and they can not create more
> network namespaces, furthermore, they lose their NET_ADMIN
> capability. They share their parent's network ressources. From the
> parent namespace, IP addresses are created and assigned to the
> different L3 childs. From this point, L3 namespaces can use their
> assigned IP address and all computed broadcast addresses.
~~~~~~~~~~~~~~~~~~~
okay, I conclude that this only handles a single address
for now. what are your plans to handle entire sets?
TIA,
Herbert
> Because the L3 namespace relies on the L2 virtualization mechanisms,
> it is possible to have several L3 namespaces listening on
> INADDR_ANY:port without conflict, that's allow to run several server
> without modifying the network configuration.
>
> The loopback is a shared device between all L3 namespaces. To ensure
> the 127.0.0.1 address isolation, the sender store its namespace into
> the packet, so when the packet arrives, the destination namespace is
> already set, because "source" == "destination". By this way, it is
> easy to disable the loopback isolation and let the application to talk
> with application outside of the namespace via the 127.0.0.1 because we
> consider them trusted (like portmap).
>
> The ifconfig / ip commands will only show IP addresses assigned to the
> L3 namespace. When a L3 namespace dies, the assigned IP address is
> released to its parent.
>
> At the IP level, when a packet arrives, the L3 network namespace
> destination is retrieved from the destination address.
>
> At the bind time, the address is checked against the assigned IP
> address.
>
> --
> _______________________________________________
> Containers mailing list
> Containers@lists.osdl.org
> https://lists.osdl.org/mailman/listinfo/containers
next prev parent reply other threads:[~2007-01-20 5:12 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-01-19 15:47 [patch 00/12] net namespace : L3 namespace - introduction dlezcano
2007-01-19 15:47 ` [patch 01/12] net namespace : initialize init process to level 2 dlezcano
2007-01-19 15:47 ` [patch 02/12] net namespace : store L2 parent namespace dlezcano
2007-01-19 15:47 ` [patch 03/12] net namespace : share network ressources L2 with L3 dlezcano
2007-01-19 15:47 ` [patch 04/12] net namespace : isolate the inet device dlezcano
2007-01-19 15:47 ` [patch 05/12] net namespace : ioctl to push ifa to net namespace l3 dlezcano
2007-01-20 4:52 ` Herbert Poetzl
2007-01-20 11:48 ` Daniel Lezcano
2007-01-19 15:47 ` [patch 06/12] net namespace : check bind address dlezcano
2007-01-19 15:47 ` [patch 07/12] net namespace: set source addresse dlezcano
2007-01-19 15:47 ` [patch 08/12] net namespace : find namespace by addr dlezcano
2007-01-20 4:56 ` Herbert Poetzl
2007-01-19 15:47 ` [patch 09/12] net namespace : make loopback address always visible dlezcano
2007-01-19 15:47 ` [patch 10/12] net namespace : add the loopback isolation dlezcano
2007-01-19 15:47 ` [patch 11/12] net namespace : debugfs - add net_ns debugfs dlezcano
2007-01-19 15:47 ` [patch 12/12] net namespace : Add broadcasting dlezcano
2007-01-20 4:58 ` Herbert Poetzl
2007-01-20 11:54 ` Daniel Lezcano
2007-01-20 4:48 ` Herbert Poetzl [this message]
2007-01-20 11:42 ` [patch 00/12] net namespace : L3 namespace - introduction Daniel Lezcano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070120044812.GA6123@MAIL.13thfloor.at \
--to=herbert@13thfloor.at \
--cc=containers@lists.osdl.org \
--cc=dlezcano@fr.ibm.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.