ipsets and network namespaces

All of lore.kernel.org
 help / color / mirror / Atom feed

* ipsets and network namespaces
@ 2012-04-05 11:04 Gorik Van Steenberge
  2012-04-05 11:24 ` Jozsef Kadlecsik
  0 siblings, 1 reply; 6+ messages in thread
From: Gorik Van Steenberge @ 2012-04-05 11:04 UTC (permalink / raw)
  To: netfilter-devel

Hello,

I've noticed that when creating a new network namespace (using the lxc
tools) that ipsets (userspace v6.11 on kernel 3.3.1) are still global,
i.e. an ipset created in the container is visible in the host and vice
versa. Iptables rulesets, however, are isolated.

Is this an as of yet unimplemented feature or a conscious design decision?

Thanks,
gvs

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: ipsets and network namespaces
  2012-04-05 11:04 ipsets and network namespaces Gorik Van Steenberge
@ 2012-04-05 11:24 ` Jozsef Kadlecsik
  2012-04-08  8:17   ` Gao feng
  0 siblings, 1 reply; 6+ messages in thread
From: Jozsef Kadlecsik @ 2012-04-05 11:24 UTC (permalink / raw)
  To: Gorik Van Steenberge; +Cc: netfilter-devel

On Thu, 5 Apr 2012, Gorik Van Steenberge wrote:

> I've noticed that when creating a new network namespace (using the lxc
> tools) that ipsets (userspace v6.11 on kernel 3.3.1) are still global,
> i.e. an ipset created in the container is visible in the host and vice
> versa. Iptables rulesets, however, are isolated.
> 
> Is this an as of yet unimplemented feature or a conscious design decision?

It's an unimplemented feature - no one requested it yet ;-).

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: ipsets and network namespaces
  2012-04-05 11:24 ` Jozsef Kadlecsik
@ 2012-04-08  8:17   ` Gao feng
  2012-04-08 18:06     ` Jozsef Kadlecsik
  0 siblings, 1 reply; 6+ messages in thread
From: Gao feng @ 2012-04-08  8:17 UTC (permalink / raw)
  To: Jozsef Kadlecsik; +Cc: Gorik Van Steenberge, netfilter-devel

于 2012年04月05日 19:24, Jozsef Kadlecsik 写道:
> On Thu, 5 Apr 2012, Gorik Van Steenberge wrote:
> 
>> I've noticed that when creating a new network namespace (using the lxc
>> tools) that ipsets (userspace v6.11 on kernel 3.3.1) are still global,
>> i.e. an ipset created in the container is visible in the host and vice
>> versa. Iptables rulesets, however, are isolated.
>>
>> Is this an as of yet unimplemented feature or a conscious design decision?
> 
> It's an unimplemented feature - no one requested it yet ;-).

Hi Jozsef:

And I see there are a lot of /proc/sys/entries are not isolated.
is this an unimplemented feature too?

If so,I want to implement it.
How do you think about this?
> 
> Best regards,
> Jozsef
> -
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: ipsets and network namespaces
  2012-04-08  8:17   ` Gao feng
@ 2012-04-08 18:06     ` Jozsef Kadlecsik
  2012-04-09  0:50       ` Gao feng
  0 siblings, 1 reply; 6+ messages in thread
From: Jozsef Kadlecsik @ 2012-04-08 18:06 UTC (permalink / raw)
  To: Gao feng; +Cc: Gorik Van Steenberge, netfilter-devel

On Sun, 8 Apr 2012, Gao feng wrote:

> ? 2012?04?05? 19:24, Jozsef Kadlecsik ??:
> > On Thu, 5 Apr 2012, Gorik Van Steenberge wrote:
> > 
> >> I've noticed that when creating a new network namespace (using the lxc
> >> tools) that ipsets (userspace v6.11 on kernel 3.3.1) are still global,
> >> i.e. an ipset created in the container is visible in the host and vice
> >> versa. Iptables rulesets, however, are isolated.
> >>
> >> Is this an as of yet unimplemented feature or a conscious design decision?
> > 
> > It's an unimplemented feature - no one requested it yet ;-).
> 
> And I see there are a lot of /proc/sys/entries are not isolated.
> is this an unimplemented feature too?

I don't know what you mean here. There's nothing under /proc/sys which is 
related to ip_set* modules.
 
> If so,I want to implement it. How do you think about this?

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: ipsets and network namespaces
  2012-04-08 18:06     ` Jozsef Kadlecsik
@ 2012-04-09  0:50       ` Gao feng
  2012-04-09 18:34         ` Jozsef Kadlecsik
  0 siblings, 1 reply; 6+ messages in thread
From: Gao feng @ 2012-04-09  0:50 UTC (permalink / raw)
  To: Jozsef Kadlecsik; +Cc: Gorik Van Steenberge, netfilter-devel

于 2012年04月09日 02:06, Jozsef Kadlecsik 写道:
> On Sun, 8 Apr 2012, Gao feng wrote:
> 
>> ? 2012?04?05? 19:24, Jozsef Kadlecsik ??:
>>> On Thu, 5 Apr 2012, Gorik Van Steenberge wrote:
>>>
>>>> I've noticed that when creating a new network namespace (using the lxc
>>>> tools) that ipsets (userspace v6.11 on kernel 3.3.1) are still global,
>>>> i.e. an ipset created in the container is visible in the host and vice
>>>> versa. Iptables rulesets, however, are isolated.
>>>>
>>>> Is this an as of yet unimplemented feature or a conscious design decision?
>>>
>>> It's an unimplemented feature - no one requested it yet ;-).
>>
>> And I see there are a lot of /proc/sys/entries are not isolated.
>> is this an unimplemented feature too?
> 
> I don't know what you mean here. There's nothing under /proc/sys which is 
> related to ip_set* modules.
>  

I mean proc files such /proc/sys/net/netfilter/nf_conntrack_udp_timeout are not isolated.

>> If so,I want to implement it. How do you think about this?
> 
> Best regards,
> Jozsef
> -
> E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
> PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
> Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
>           H-1525 Budapest 114, POB. 49, Hungary
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: ipsets and network namespaces
  2012-04-09  0:50       ` Gao feng
@ 2012-04-09 18:34         ` Jozsef Kadlecsik
  0 siblings, 0 replies; 6+ messages in thread
From: Jozsef Kadlecsik @ 2012-04-09 18:34 UTC (permalink / raw)
  To: Gao feng; +Cc: Gorik Van Steenberge, netfilter-devel

On Mon, 9 Apr 2012, Gao feng wrote:

> ? 2012?04?09? 02:06, Jozsef Kadlecsik ??:
> > On Sun, 8 Apr 2012, Gao feng wrote:
> > 
> >> ? 2012?04?05? 19:24, Jozsef Kadlecsik ??:
> >>> On Thu, 5 Apr 2012, Gorik Van Steenberge wrote:
> >>>
> >>>> I've noticed that when creating a new network namespace (using the lxc
> >>>> tools) that ipsets (userspace v6.11 on kernel 3.3.1) are still global,
> >>>> i.e. an ipset created in the container is visible in the host and vice
> >>>> versa. Iptables rulesets, however, are isolated.
> >>>>
> >>>> Is this an as of yet unimplemented feature or a conscious design decision?
> >>>
> >>> It's an unimplemented feature - no one requested it yet ;-).
> >>
> >> And I see there are a lot of /proc/sys/entries are not isolated.
> >> is this an unimplemented feature too?
> > 
> > I don't know what you mean here. There's nothing under /proc/sys which is 
> > related to ip_set* modules.
> 
> I mean proc files such /proc/sys/net/netfilter/nf_conntrack_udp_timeout 
> are not isolated.

Those have nothing to do with ipset. Please do not "steal" threads, but 
start a new one for a new topic.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2012-04-09 18:34 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-04-05 11:04 ipsets and network namespaces Gorik Van Steenberge
2012-04-05 11:24 ` Jozsef Kadlecsik
2012-04-08  8:17   ` Gao feng
2012-04-08 18:06     ` Jozsef Kadlecsik
2012-04-09  0:50       ` Gao feng
2012-04-09 18:34         ` Jozsef Kadlecsik

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.