ipsets and network namespaces

ipsets and network namespaces

[Gorik Van Steenberge]

Hello,

I've noticed that when creating a new network namespace (using the lxc
tools) that ipsets (userspace v6.11 on kernel 3.3.1) are still global,
i.e. an ipset created in the container is visible in the host and vice
versa. Iptables rulesets, however, are isolated.

Is this an as of yet unimplemented feature or a conscious design decision?

Thanks,
gvs

Re: ipsets and network namespaces

[Jozsef Kadlecsik]

On Thu, 5 Apr 2012, Gorik Van Steenberge wrote:

> I've noticed that when creating a new network namespace (using the lxc
> tools) that ipsets (userspace v6.11 on kernel 3.3.1) are still global,
> i.e. an ipset created in the container is visible in the host and vice
> versa. Iptables rulesets, however, are isolated.
> 
> Is this an as of yet unimplemented feature or a conscious design decision?

It's an unimplemented feature - no one requested it yet ;-).

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary

Re: ipsets and network namespaces

[Gao feng]

于 2012年04月05日 19:24, Jozsef Kadlecsik 写道:
> On Thu, 5 Apr 2012, Gorik Van Steenberge wrote:
> 
>> I've noticed that when creating a new network namespace (using the lxc
>> tools) that ipsets (userspace v6.11 on kernel 3.3.1) are still global,
>> i.e. an ipset created in the container is visible in the host and vice
>> versa. Iptables rulesets, however, are isolated.
>>
>> Is this an as of yet unimplemented feature or a conscious design decision?
> 
> It's an unimplemented feature - no one requested it yet ;-).

Hi Jozsef:

And I see there are a lot of /proc/sys/entries are not isolated.
is this an unimplemented feature too?

If so,I want to implement it.
How do you think about this?
> 
> Best regards,
> Jozsef
> -
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: ipsets and network namespaces

[Jozsef Kadlecsik]

On Sun, 8 Apr 2012, Gao feng wrote:

> ? 2012?04?05? 19:24, Jozsef Kadlecsik ??:
> > On Thu, 5 Apr 2012, Gorik Van Steenberge wrote:
> > 
> >> I've noticed that when creating a new network namespace (using the lxc
> >> tools) that ipsets (userspace v6.11 on kernel 3.3.1) are still global,
> >> i.e. an ipset created in the container is visible in the host and vice
> >> versa. Iptables rulesets, however, are isolated.
> >>
> >> Is this an as of yet unimplemented feature or a conscious design decision?
> > 
> > It's an unimplemented feature - no one requested it yet ;-).
> 
> And I see there are a lot of /proc/sys/entries are not isolated.
> is this an unimplemented feature too?

I don't know what you mean here. There's nothing under /proc/sys which is 
related to ip_set* modules.
 
> If so,I want to implement it. How do you think about this?

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary

Re: ipsets and network namespaces

[Gao feng]

于 2012年04月09日 02:06, Jozsef Kadlecsik 写道:
> On Sun, 8 Apr 2012, Gao feng wrote:
> 
>> ? 2012?04?05? 19:24, Jozsef Kadlecsik ??:
>>> On Thu, 5 Apr 2012, Gorik Van Steenberge wrote:
>>>
>>>> I've noticed that when creating a new network namespace (using the lxc
>>>> tools) that ipsets (userspace v6.11 on kernel 3.3.1) are still global,
>>>> i.e. an ipset created in the container is visible in the host and vice
>>>> versa. Iptables rulesets, however, are isolated.
>>>>
>>>> Is this an as of yet unimplemented feature or a conscious design decision?
>>>
>>> It's an unimplemented feature - no one requested it yet ;-).
>>
>> And I see there are a lot of /proc/sys/entries are not isolated.
>> is this an unimplemented feature too?
> 
> I don't know what you mean here. There's nothing under /proc/sys which is 
> related to ip_set* modules.
>  

I mean proc files such /proc/sys/net/netfilter/nf_conntrack_udp_timeout are not isolated.

>> If so,I want to implement it. How do you think about this?
> 
> Best regards,
> Jozsef
> -
> E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
> PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
> Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
>           H-1525 Budapest 114, POB. 49, Hungary
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: ipsets and network namespaces

[Jozsef Kadlecsik]

On Mon, 9 Apr 2012, Gao feng wrote:

> ? 2012?04?09? 02:06, Jozsef Kadlecsik ??:
> > On Sun, 8 Apr 2012, Gao feng wrote:
> > 
> >> ? 2012?04?05? 19:24, Jozsef Kadlecsik ??:
> >>> On Thu, 5 Apr 2012, Gorik Van Steenberge wrote:
> >>>
> >>>> I've noticed that when creating a new network namespace (using the lxc
> >>>> tools) that ipsets (userspace v6.11 on kernel 3.3.1) are still global,
> >>>> i.e. an ipset created in the container is visible in the host and vice
> >>>> versa. Iptables rulesets, however, are isolated.
> >>>>
> >>>> Is this an as of yet unimplemented feature or a conscious design decision?
> >>>
> >>> It's an unimplemented feature - no one requested it yet ;-).
> >>
> >> And I see there are a lot of /proc/sys/entries are not isolated.
> >> is this an unimplemented feature too?
> > 
> > I don't know what you mean here. There's nothing under /proc/sys which is 
> > related to ip_set* modules.
> 
> I mean proc files such /proc/sys/net/netfilter/nf_conntrack_udp_timeout 
> are not isolated.

Those have nothing to do with ipset. Please do not "steal" threads, but 
start a new one for a new topic.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary