From: James Chapman <jchapman@katalix.com>
To: "François Cachereul" <f.cachereul@alphalink.fr>
Cc: Paul Mackerras <paulus@samba.org>,
netdev@vger.kernel.org, linux-ppp@vger.kernel.org
Subject: Re: [RFC PATCH net-next] ppp: Allow ppp device connected to an l2tp session to change of namespace
Date: Thu, 24 Oct 2013 15:43:42 +0000 [thread overview]
Message-ID: <5269402E.2070203@katalix.com> (raw)
In-Reply-To: <526923A7.8090108@alphalink.fr>
On 24/10/13 14:41, François Cachereul wrote:
> On 10/24/2013 12:55 PM, James Chapman wrote:
>> On 24/10/13 11:30, François Cachereul wrote:
>>> Remove NETIF_F_NETNS_LOCAL flag from ppp device in ppp_connect_channel()
>>> if the device is connected to a l2tp session socket.
>>> Restore the flag in ppp_disconnect_channel().
>>
>> What about pppd's network namespace? Also, L2TP's tunnel socket (UDP or
>> L2TP/IP) will be in a different namespace if the ppp interface is moved.
>
> That's what I'm trying to achieve. I'm not using pppd and my problem is
> as follow: I need to isolate ppp devices from each other, even when
> they are connected to sessions carried by the same L2TP tunnel.
I'm thinking about the implications of a skb in the net namespace of the
ppp interface passing through a tunnel socket which is in another
namespace. I think net namespaces are completely isolated.
To keep your ppp interfaces isolated from each other, have you
considered using netfilter to prevent data being passed between ppp
interfaces?
> Also, I
> need the authentication to be terminated to know the namespace in which
> the ppp will be moved. For that, the process runs in a namespace with
> its l2tp sockets (tunnel and session) in that same namespace and each
> ppp device is moved in a specific namespace after authentication.
>
> Regards
> François
>
--
James Chapman
Katalix Systems Ltd
http://www.katalix.com
Catalysts for your Embedded Linux software development
WARNING: multiple messages have this Message-ID (diff)
From: James Chapman <jchapman@katalix.com>
To: "François Cachereul" <f.cachereul@alphalink.fr>
Cc: Paul Mackerras <paulus@samba.org>,
netdev@vger.kernel.org, linux-ppp@vger.kernel.org
Subject: Re: [RFC PATCH net-next] ppp: Allow ppp device connected to an l2tp session to change of namespace
Date: Thu, 24 Oct 2013 16:43:42 +0100 [thread overview]
Message-ID: <5269402E.2070203@katalix.com> (raw)
In-Reply-To: <526923A7.8090108@alphalink.fr>
On 24/10/13 14:41, François Cachereul wrote:
> On 10/24/2013 12:55 PM, James Chapman wrote:
>> On 24/10/13 11:30, François Cachereul wrote:
>>> Remove NETIF_F_NETNS_LOCAL flag from ppp device in ppp_connect_channel()
>>> if the device is connected to a l2tp session socket.
>>> Restore the flag in ppp_disconnect_channel().
>>
>> What about pppd's network namespace? Also, L2TP's tunnel socket (UDP or
>> L2TP/IP) will be in a different namespace if the ppp interface is moved.
>
> That's what I'm trying to achieve. I'm not using pppd and my problem is
> as follow: I need to isolate ppp devices from each other, even when
> they are connected to sessions carried by the same L2TP tunnel.
I'm thinking about the implications of a skb in the net namespace of the
ppp interface passing through a tunnel socket which is in another
namespace. I think net namespaces are completely isolated.
To keep your ppp interfaces isolated from each other, have you
considered using netfilter to prevent data being passed between ppp
interfaces?
> Also, I
> need the authentication to be terminated to know the namespace in which
> the ppp will be moved. For that, the process runs in a namespace with
> its l2tp sockets (tunnel and session) in that same namespace and each
> ppp device is moved in a specific namespace after authentication.
>
> Regards
> François
>
--
James Chapman
Katalix Systems Ltd
http://www.katalix.com
Catalysts for your Embedded Linux software development
next prev parent reply other threads:[~2013-10-24 15:43 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-10-24 10:30 [RFC PATCH net-next] ppp: Allow ppp device connected to an l2tp session to change of namespace François Cachereul
2013-10-24 10:30 ` François Cachereul
2013-10-24 10:55 ` James Chapman
2013-10-24 10:55 ` James Chapman
2013-10-24 13:41 ` François Cachereul
2013-10-24 13:41 ` François Cachereul
2013-10-24 15:43 ` James Chapman [this message]
2013-10-24 15:43 ` James Chapman
2013-10-24 15:53 ` Benjamin LaHaise
2013-10-24 15:53 ` Benjamin LaHaise
2013-10-24 16:51 ` James Chapman
2013-10-24 16:51 ` James Chapman
2013-10-25 8:27 ` François Cachereul
2013-10-25 8:27 ` François Cachereul
2013-10-25 8:24 ` François Cachereul
2013-10-25 8:24 ` François Cachereul
2013-10-24 14:23 ` Sergei Shtylyov
2013-10-24 14:23 ` Sergei Shtylyov
2013-10-25 8:05 ` terry white
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5269402E.2070203@katalix.com \
--to=jchapman@katalix.com \
--cc=f.cachereul@alphalink.fr \
--cc=linux-ppp@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=paulus@samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.