From: "Denis V. Lunev" <den@sw.ru>
To: Daniel Lezcano <dlezcano@fr.ibm.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>,
netdev@vger.kernel.org, Pavel Emelianov <xemul@sw.ru>,
Linux Containers <containers@lists.osdl.org>,
David Miller <davem@davemloft.net>
Subject: Re: [Devel] [PATCH 1/5] net: Modify all rtnetlink methods to only work in the initial namespace
Date: Wed, 10 Oct 2007 18:29:05 +0400 [thread overview]
Message-ID: <470CE1B1.30108@sw.ru> (raw)
In-Reply-To: <470CDC26.6010608@fr.ibm.com>
Daniel Lezcano wrote:
> struct net *net = in?in->nd_net:out->nd_net;
>
>> So, we are bound to the following options:
>> - perform additional non-uniform hacks around to place 'struct net' into
>> other and other structures like xt_target
>> - add 7th parameter here and over
>> - introduce an skb_net field in the 'struct sk_buff' making all code
>> uniform, at least when we have an skb
>>
>> I think that this is not the last place with such a parameter list and
>> we should make a decision at this point when the code in not mainline
>> yet.
>>
>> As far as I understand, netfilters are not touched by the Eric and we
>> can face some non-trivial problems there.
>
> In Eric's git tree:
> http://git.kernel.org/?p=linux/kernel/git/ebiederm/linux-2.6-netns.git
>
> There are some modifications concerning
> net/ipv4/netfiler/iptable_filter.c and at the ipt_hook function, there is:
>
> struct net *net = (in?in:out)->nd_net;
>
>> So, if my point about uniformity is valid, this patchset looks wrong and
>> should be re-worked :(
>
> As Eric said, we want to build the network namespace step by step,
> taking care of not breaking the init network namespace.
>
> If you want to make iptables per namespace or catch problems before the
> code goes to Dave's tree, IMHO it will be more convenient to post to
> containers@ the patches against netns49, where the modifications will be
> in a network namespace big picture.
>
my point is somewhat another. Yes, this is enough for that place. If so,
I must scatter these checks all around in the netfilters code. Brr.
In forward chain the situation is different for Layer3 switching. Let's
assume that we have an OpenVZ scheme, where the packet flows from socket
to device and after that from device to device via forwarding path. You
can't call skb_orphan on namespace switching as this breaks UDP flow
regulation. Virtual network device is fast while real Ethernet is slow,
packets will be dropped on queue in real device. So, the situation with
packet on send path with a socket from other namespace is possible :(
I just pray for uniformity to concentrate on the code rather than on
guesses on which path we are :(
Regards,
Den
next prev parent reply other threads:[~2007-10-10 14:29 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-09-29 1:00 [PATCH 1/5] net: Modify all rtnetlink methods to only work in the initial namespace Eric W. Biederman
2007-09-29 1:00 ` Eric W. Biederman
2007-09-29 1:02 ` [PATCH 2/5] net: Make rtnetlink infrastructure network namespace aware Eric W. Biederman
2007-09-29 1:02 ` Eric W. Biederman
[not found] ` <m1hcle9td8.fsf-T1Yj925okcoyDheHMi7gv2pdwda3JcWeAL8bYrjMMd8@public.gmane.org>
2007-09-29 1:04 ` [PATCH 3/5] net: Make the netlink methods in rtnetlink handle multiple network namespaces Eric W. Biederman
2007-09-29 1:07 ` [PATCH 4/5] net: Make AF_PACKET " Eric W. Biederman
2007-09-29 1:07 ` Eric W. Biederman
2007-09-29 1:08 ` [PATCH 5/5] net: Make AF_UNIX per network namespace safe Eric W. Biederman
2007-09-29 1:08 ` Eric W. Biederman
2007-09-29 15:47 ` Patrick McHardy
2007-09-29 17:03 ` Eric W. Biederman
2007-09-29 17:50 ` Patrick McHardy
2007-09-29 15:44 ` [PATCH 2/5] net: Make rtnetlink infrastructure network namespace aware Patrick McHardy
2007-09-29 16:51 ` Eric W. Biederman
2007-09-29 17:48 ` Patrick McHardy
2007-09-29 21:00 ` Eric W. Biederman
2007-09-30 13:13 ` [Devel] " Denis V. Lunev
2007-09-30 15:39 ` Patrick McHardy
2007-10-01 8:26 ` [Devel] " Denis V. Lunev
2007-10-01 8:45 ` Eric W. Biederman
2007-10-10 12:35 ` [Devel] [PATCH 1/5] net: Modify all rtnetlink methods to only work in the initial namespace Denis V. Lunev
2007-10-10 14:05 ` Daniel Lezcano
2007-10-10 14:29 ` Denis V. Lunev [this message]
2007-10-10 19:37 ` Eric W. Biederman
[not found] ` <m13awilq1r.fsf-T1Yj925okcoyDheHMi7gv2pdwda3JcWeAL8bYrjMMd8@public.gmane.org>
2007-10-11 6:36 ` Denis V. Lunev
[not found] ` <470DC48A.30603-3ImXcnM4P+0@public.gmane.org>
2007-10-11 7:57 ` Eric W. Biederman
[not found] ` <m1r6k2gk2w.fsf-T1Yj925okcoyDheHMi7gv2pdwda3JcWeAL8bYrjMMd8@public.gmane.org>
2007-10-11 12:18 ` Denis V. Lunev
[not found] ` <470E149A.3040803-3ImXcnM4P+0@public.gmane.org>
2007-10-11 17:08 ` Eric W. Biederman
[not found] ` <m1przlbmu4.fsf-T1Yj925okcoyDheHMi7gv2pdwda3JcWeAL8bYrjMMd8@public.gmane.org>
2007-10-11 17:28 ` Denis V. Lunev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=470CE1B1.30108@sw.ru \
--to=den@sw.ru \
--cc=containers@lists.osdl.org \
--cc=davem@davemloft.net \
--cc=dlezcano@fr.ibm.com \
--cc=ebiederm@xmission.com \
--cc=netdev@vger.kernel.org \
--cc=xemul@sw.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.