Network Namespace-1000 networks with Overlap Addresses

Network Namespace-1000 networks with Overlap Addresses

[Krishna Vamsi-B22174]

 
 
Hi,
 
I am a newbie  to this list.  Here is my use case , we have  Loadable
Kernel Module which applies security to
the packets arriving from 1000 networks with overlap addresses. There
are 3 different  user space process which handles 
control traffic  from these 1000 networks .   
 
Please let me know
 
1)How to create a Network Namespace Object ?
2)How to delete a Network Namespace Object ?
3)Can these 3  user space process see all the Network Namespace objects
created in the kernel ?
 If so, how can they access these objects?
4)How to group 2-3 interfaces under a particular Network Namespace ?
 
Is there any patch available to achieve the above use case ?
 
 
Regards
    Vamsi

Re: Network Namespace-1000 networks with Overlap Addresses

[Serge E. Hallyn]

Quoting Krishna Vamsi-B22174 (avamsi-KZfg59tc24xl57MIdRCFDg@public.gmane.org):
> 
> 
> Hi,
> 
> I am a newbie  to this list.  Here is my use case , we have  Loadable
> Kernel Module which applies security to
> the packets arriving from 1000 networks with overlap addresses. There
> are 3 different  user space process which handles 
> control traffic  from these 1000 networks .   
> 
> Please let me know
> 
> 1)How to create a Network Namespace Object ?

clone(CLONE_NEWNET)

> 2)How to delete a Network Namespace Object ?

exit

> 3)Can these 3  user space process see all the Network Namespace objects
> created in the kernel ?

No, network namespaces are fully isolated.  A virtual nic can only exist
in one network namespace, and physical nics can only exist in the
initial network namespace.

>  If so, how can they access these objects?
> 4)How to group 2-3 interfaces under a particular Network Namespace ?

I don't understand the question, but you pass a veth endpoint into a
network namespace using

	/sbin/ip link set veth1 netns $pid_in_other_netns

> Is there any patch available to achieve the above use case ?

You can use liblxc (available from lxc.sf.net) or libvirt-lxc
(libvirt.org).

-serge

Re: Network Namespace-1000 networks with Overlap Addresses

[Eric W. Biederman]

"Serge E. Hallyn" <serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org> writes:

> Quoting Krishna Vamsi-B22174 (avamsi-KZfg59tc24xl57MIdRCFDg@public.gmane.org):
>> 
>> 
>> Hi,
>> 
>> I am a newbie  to this list.  Here is my use case , we have  Loadable
>> Kernel Module which applies security to
>> the packets arriving from 1000 networks with overlap addresses. There
>> are 3 different  user space process which handles 
>> control traffic  from these 1000 networks .   
>> 
>> Please let me know
>> 
>> 1)How to create a Network Namespace Object ?
>
> clone(CLONE_NEWNET)
>
>> 2)How to delete a Network Namespace Object ?
>
> exit
>
>> 3)Can these 3  user space process see all the Network Namespace objects
>> created in the kernel ?
>
> No, network namespaces are fully isolated.  A virtual nic can only exist
> in one network namespace, and physical nics can only exist in the
> initial network namespace.

Sockets can be passed between network namespaces if you set things up correctly.
At which point you can have 3 user space processes doing all of the work.

It can be a bit of a pain to have processes lying around just so you can
create a socket in another network namespace but the code works today
and isn't too bad.

>>  If so, how can they access these objects?
>> 4)How to group 2-3 interfaces under a particular Network Namespace ?
>
> I don't understand the question, but you pass a veth endpoint into a
> network namespace using
>
> 	/sbin/ip link set veth1 netns $pid_in_other_netns

yep.

Eric

Re: Network Namespace-1000 networks with Overlap Addresses

[Babu N]

Hi,

I am finding that a unshare call with CLONE_NEWNET is giving error in 
ubuntu 8.10 (kernet version 2.6.27).
The man page here 
(http://manpages.courier-mta.org/htmlman2/clone.2.html) states that 
CLONE_NEWNET implementation is not yet complete, but probably will be 
mostly complete by about Linux 2.6.28.
Is there way I can use CLONE_NEWNET successfully in 2.6.27 ?


Thanks,
Babu



At 04:27 PM 4/22/2009, Eric W. Biederman wrote:
>"Serge E. Hallyn" <serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org> writes:
>
> > Quoting Krishna Vamsi-B22174 (avamsi-KZfg59tc24xl57MIdRCFDg@public.gmane.org):
> >>
> >>
> >> Hi,
> >>
> >> I am a newbie  to this list.  Here is my use case , we have  Loadable
> >> Kernel Module which applies security to
> >> the packets arriving from 1000 networks with overlap addresses. There
> >> are 3 different  user space process which handles
> >> control traffic  from these 1000 networks .
> >>
> >> Please let me know
> >>
> >> 1)How to create a Network Namespace Object ?
> >
> > clone(CLONE_NEWNET)
> >
> >> 2)How to delete a Network Namespace Object ?
> >
> > exit
> >
> >> 3)Can these 3  user space process see all the Network Namespace objects
> >> created in the kernel ?
> >
> > No, network namespaces are fully isolated.  A virtual nic can only exist
> > in one network namespace, and physical nics can only exist in the
> > initial network namespace.
>
>Sockets can be passed between network namespaces if you set things 
>up correctly.
>At which point you can have 3 user space processes doing all of the work.
>
>It can be a bit of a pain to have processes lying around just so you can
>create a socket in another network namespace but the code works today
>and isn't too bad.
>
> >>  If so, how can they access these objects?
> >> 4)How to group 2-3 interfaces under a particular Network Namespace ?
> >
> > I don't understand the question, but you pass a veth endpoint into a
> > network namespace using
> >
> >       /sbin/ip link set veth1 netns $pid_in_other_netns
>
>yep.
>
>Eric
>_______________________________________________
>Containers mailing list
>Containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org
>https://lists.linux-foundation.org/mailman/listinfo/containers

Re: Network Namespace-1000 networks with Overlap Addresses

[Daniel Lezcano]

Babu N wrote:
> Hi,
>
> I am finding that a unshare call with CLONE_NEWNET is giving error in 
> ubuntu 8.10 (kernet version 2.6.27).
> The man page here 
> (http://manpages.courier-mta.org/htmlman2/clone.2.html) states that 
> CLONE_NEWNET implementation is not yet complete, but probably will be 
> mostly complete by about Linux 2.6.28.
> Is there way I can use CLONE_NEWNET successfully in 2.6.27 ?
>   
No, in 2.6.27 the netns code is not complete and buggy.
You have to use the 2.6.29 kernel version.

  -- Daniel

Re: Network Namespace-1000 networks with Overlap Addresses

[Daniel Lezcano]

Daniel Lezcano wrote:
> Babu N wrote:
>   
>> Hi,
>>
>> I am finding that a unshare call with CLONE_NEWNET is giving error in 
>> ubuntu 8.10 (kernet version 2.6.27).
>> The man page here 
>> (http://manpages.courier-mta.org/htmlman2/clone.2.html) states that 
>> CLONE_NEWNET implementation is not yet complete, but probably will be 
>> mostly complete by about Linux 2.6.28.
>> Is there way I can use CLONE_NEWNET successfully in 2.6.27 ?
>>   
>>     
> No, in 2.6.27 the netns code is not complete and buggy.
> You have to use the 2.6.29 kernel version.
>
>   -- Daniel
>   

By the way, you can ask Tim Gardner, Cc'ing the ubuntu kernel team if 
the net_ns is enabled in the 2.6.29 kernel version and, if not, if it is 
possible to enable it.

Thanks
  -- Daniel

Re: Network Namespace-1000 networks with Overlap Addresses

[Babu N]

Hi Daniel,

Thanks for the response.
Its not enabled by default in ubuntu 8.10. But I have recompiled as 
per the instructions in 
http://lxc.sourceforge.net/network/configuration.php and found NEWNET 
giving error in the re-compiled kernel.
Your reply clarifies this.

Thanks again.


- Babu


At 02:28 PM 4/23/2009, Daniel Lezcano wrote:
>Daniel Lezcano wrote:
>>Babu N wrote:
>>
>>>Hi,
>>>
>>>I am finding that a unshare call with CLONE_NEWNET is giving error 
>>>in ubuntu 8.10 (kernet version 2.6.27).
>>>The man page here 
>>>(http://manpages.courier-mta.org/htmlman2/clone.2.html) states 
>>>that CLONE_NEWNET implementation is not yet complete, but probably 
>>>will be mostly complete by about Linux 2.6.28.
>>>Is there way I can use CLONE_NEWNET successfully in 2.6.27 ?
>>>
>>>
>>No, in 2.6.27 the netns code is not complete and buggy.
>>You have to use the 2.6.29 kernel version.
>>
>>   -- Daniel
>>
>
>By the way, you can ask Tim Gardner, Cc'ing the ubuntu kernel team 
>if the net_ns is enabled in the 2.6.29 kernel version and, if not, 
>if it is possible to enable it.
>
>Thanks
>  -- Daniel