From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
To: Thomas Graf <tgraf@suug.ch>,
Shrijeet Mukherjee <shm@cumulusnetworks.com>
Cc: hannes@stressinduktion.org, dsahern@gmail.com,
ebiederm@xmission.com, hadi@mojatatu.com, davem@davemloft.net,
stephen@networkplumber.org, netdev@vger.kernel.org,
roopa@cumulusnetworks.com, gospo@cumulusnetworks.com,
jtoppins@cumulusnetworks.com, nikolay@cumulusnetworks.com
Subject: Re: [RFC net-next 0/3] Proposal for VRF-lite
Date: Tue, 09 Jun 2015 14:30:06 +0200 [thread overview]
Message-ID: <5576DC4E.6060206@6wind.com> (raw)
In-Reply-To: <20150609101550.GA10411@pox.localdomain>
Le 09/06/2015 12:15, Thomas Graf a écrit :
> On 06/08/15 at 11:35am, Shrijeet Mukherjee wrote:
> [...]
>> model with some performance paths that need optimization. (Specifically
>> the output route selector that Roopa, Robert, Thomas and EricB are
>> currently discussing on the MPLS thread)
>
> Thanks for posting these patches just in time. This explains how
> you intent to deploy Roopa's patches in a scalable manner.
>
>> High Level points
>>
>> 1. Simple overlay driver (minimal changes to current stack)
>> * uses the existing fib tables and fib rules infrastructure
>> 2. Modelled closely after the ipvlan driver
>> 3. Uses current API and infrastructure.
>> * Applications can use SO_BINDTODEVICE or cmsg device indentifiers
>> to pick VRF (ping, traceroute just work)
>
> I like the aspect of reusing existing user interfaces. We might
> need to introduce a more fine grained capability than CAP_NET_RAW
> to give containers the privileges to bind to a VRF without
> allowing them to inject raw frames.
>
> Given I understand this correctly: If my intent was to run a
> process in multiple VRFs, then I would need to run that process
> in the host network namespace which contains the VRF devices
> which would also contain the physical devices. While I might want
> to grant my process the ability to bind to VRFs, I may not want
> to give it the privileges to bind to any device. So we could
> consider introducing CAP_NET_VRF which would allow to bind to
> VRF devices.
If I understand correctly, all existing applications should also be modified
if I want to run them into a VRF/MRF (see my previous email)?
ssh, dhcp, httpd, etc should be runnable per MRF without modifications of
their source code. So, it becomes a netns. What's about an IKE dameon?
It makes sense to have both: netns and MRF ; each can have their own logics
of VRF-like behavior depending on how a VRF is defined by the end users.
next prev parent reply other threads:[~2015-06-09 12:30 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-06-08 18:35 [RFC net-next 0/3] Proposal for VRF-lite Shrijeet Mukherjee
2015-06-08 18:35 ` [RFC net-next 1/3] Symbol preparation for VRF driver Shrijeet Mukherjee
2015-06-10 16:24 ` Alexander Duyck
2015-06-08 18:35 ` [RFC net-next 2/3] VRF driver and needed infrastructure Shrijeet Mukherjee
2015-06-08 19:08 ` David Ahern
2015-06-08 20:17 ` Hannes Frederic Sowa
2015-06-09 9:19 ` Nicolas Dichtel
2015-06-09 12:35 ` Nikolay Aleksandrov
2015-06-10 2:11 ` Shrijeet Mukherjee
2015-06-10 18:20 ` Alexander Duyck
2015-06-08 18:35 ` [RFC net-next 3/3] rcv path changes for vrf traffic Shrijeet Mukherjee
2015-06-08 19:58 ` Hannes Frederic Sowa
2015-06-08 20:00 ` Hannes Frederic Sowa
2015-06-08 20:22 ` Shrijeet Mukherjee
2015-06-08 20:33 ` Hannes Frederic Sowa
2015-06-08 22:44 ` Shrijeet Mukherjee
2015-06-09 5:41 ` Hannes Frederic Sowa
2015-06-08 22:05 ` David Miller
2015-06-08 22:13 ` Hannes Frederic Sowa
2015-06-08 22:21 ` David Miller
2015-06-09 0:36 ` David Ahern
2015-06-09 1:03 ` David Ahern
2015-06-09 5:35 ` Hannes Frederic Sowa
2015-06-10 18:31 ` Alexander Duyck
2015-06-08 18:35 ` [RFC iproute2] Add the ability to create a VRF device and specify it's table binding Shrijeet Mukherjee
2015-06-08 19:13 ` [RFC net-next 0/3] Proposal for VRF-lite David Ahern
2015-06-08 19:51 ` Shrijeet Mukherjee
2015-06-08 20:41 ` Hannes Frederic Sowa
2015-06-09 8:58 ` Nicolas Dichtel
2015-06-09 14:21 ` David Ahern
2015-06-09 14:55 ` Nicolas Dichtel
2015-06-09 17:14 ` Shrijeet Mukherjee
2015-06-09 10:15 ` Thomas Graf
2015-06-09 12:30 ` Nicolas Dichtel [this message]
2015-06-09 12:43 ` Hannes Frederic Sowa
[not found] ` <CAJmoNQHRTJwdMjziQiPBX07sZKrYd3Z1ASNi1xQZdgJ1Vs6bGg@mail.gmail.com>
2015-06-12 9:46 ` Thomas Graf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5576DC4E.6060206@6wind.com \
--to=nicolas.dichtel@6wind.com \
--cc=davem@davemloft.net \
--cc=dsahern@gmail.com \
--cc=ebiederm@xmission.com \
--cc=gospo@cumulusnetworks.com \
--cc=hadi@mojatatu.com \
--cc=hannes@stressinduktion.org \
--cc=jtoppins@cumulusnetworks.com \
--cc=netdev@vger.kernel.org \
--cc=nikolay@cumulusnetworks.com \
--cc=roopa@cumulusnetworks.com \
--cc=shm@cumulusnetworks.com \
--cc=stephen@networkplumber.org \
--cc=tgraf@suug.ch \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.