From: ebiederm@xmission.com (Eric W. Biederman)
To: canqun zhang <canqunzhang@gmail.com>
Cc: Gao feng <gaofeng@cn.fujitsu.com>,
netfilter-devel@vger.kernel.org,
"netdev\@vger.kernel.org" <netdev@vger.kernel.org>,
Patrick McHardy <kaber@trash.net>,
pablo@netfilter.org
Subject: Re: [PATCH 01/19] netfilter: move nf_conntrack initialize out of pernet operations
Date: Thu, 27 Dec 2012 22:00:23 -0800 [thread overview]
Message-ID: <8738yqiumg.fsf@xmission.com> (raw)
In-Reply-To: <CAFFEFTU8kxXV2pQ3B_goRs2Y7p2ecZ1YuSKSjfYF_58eD1tDqw@mail.gmail.com> (canqun zhang's message of "Fri, 28 Dec 2012 13:32:29 +0800")
canqun zhang <canqunzhang@gmail.com> writes:
> yes,Network namespaces in general can be cleaned up in any order,but
> when doing /etc/ini.d/iptables restart, the system need cleaning up
> all net namespace,and init_net should be cleanup lastly.init_net is
> the first namespace,other net namespace is copied for it ,and it is
> diuty for Initializing resources,so It in itself is special.
"other net namespaces is copied for it" I don't have a clue what
you mean by that. Every network namespace starts out in a default
state not in a copied state.
Nowhere else in the network stack does &init_net have the duty
of initializing or cleaning up resources.
That /etc/init.d/iptables restart removes modules in general is a little
dubious. That /etc/init.d/iptables restart removes modules when there
are other existing network namespaces using those modules is down right
dangerous. Dangerous in the anyone can ssh into the machine way. I
suspect it has taken 5 years for this bug to show up because it is so
idiotic to remove code that someone else is using.
I won't argue that making it so that &init_net is the last network
namespace to go will solve this problem. But I can't see how adding
the guarantee that &init_net will always be cleaned up last is a good
long term solution.
Removing the init_net special case gives a simpler mental model, and
less to learn and maintain about network namespaces.
Eric
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2012-12-28 6:00 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-12-28 2:36 [PATCH 01/19] netfilter: move nf_conntrack initialize out of pernet operations Gao feng
2012-12-28 2:36 ` [PATCH 02/19] netfilter: expect: move initial codes out of pernet_operations Gao feng
2012-12-28 2:36 ` [PATCH 03/19] netfilter: acct: " Gao feng
2012-12-28 2:36 ` [PATCH 04/19] netfilter: tstamp: " Gao feng
2012-12-28 2:36 ` [PATCH 05/19] netfilter: ecache: " Gao feng
2012-12-28 2:36 ` [PATCH 06/19] netfilter: timeout: " Gao feng
2012-12-28 2:36 ` [PATCH 07/19] netfilter: helper: " Gao feng
2012-12-28 2:36 ` [PATCH 08/19] netfilter: proto: " Gao feng
2012-12-28 2:36 ` [PATCH 09/19] netfilter: l3proto: prepare reworking l3proto support for netns Gao feng
2012-12-28 2:36 ` [PATCH 10/19] netfilter: ipv4: register ipv4 in module_init Gao feng
2012-12-28 2:36 ` [PATCH 10/19] netfilter: ipv4: register l3proto " Gao feng
2012-12-28 2:36 ` [PATCH 11/19] netfilter: ipv6: register l3proto ipv6 " Gao feng
2012-12-28 2:36 ` [PATCH 12/19] netfilter: l4proto: prepare reworking l4proto support for netns Gao feng
2012-12-28 2:36 ` [PATCH 13/19] netfilter: ipv4: move registration codes out of pernet_operations Gao feng
2012-12-28 2:36 ` [PATCH 14/19] netfilter: ipv6: " Gao feng
2012-12-28 2:36 ` [PATCH 15/19] netfilter: sctp: " Gao feng
2012-12-28 2:36 ` [PATCH 16/19] netfilter: udplite: " Gao feng
2012-12-28 2:36 ` [PATCH 17/19] netfilter: dccp: " Gao feng
2012-12-28 2:36 ` [PATCH 18/19] netfilter: gre: " Gao feng
2012-12-28 2:36 ` [PATCH 19/19] netfilter: gre: fix resource leak when unregister gre proto Gao feng
2013-01-05 3:50 ` Pablo Neira Ayuso
2013-01-07 1:27 ` Gao feng
2013-01-07 2:15 ` Pablo Neira Ayuso
2013-01-07 2:38 ` Pablo Neira Ayuso
2013-01-07 2:59 ` Gao feng
2013-01-07 3:05 ` Gao feng
2013-01-07 3:27 ` Pablo Neira Ayuso
2013-01-07 3:43 ` Gao feng
2012-12-28 3:52 ` [PATCH 01/19] netfilter: move nf_conntrack initialize out of pernet operations canqun zhang
2012-12-28 4:48 ` Eric W. Biederman
2012-12-28 5:32 ` canqun zhang
2012-12-28 6:00 ` Eric W. Biederman [this message]
2012-12-28 11:58 ` Pablo Neira Ayuso
2012-12-28 7:16 ` Gao feng
2012-12-28 8:48 ` canqun zhang
2013-01-10 1:03 ` Gao feng
2013-01-10 16:41 ` Pablo Neira Ayuso
2013-01-11 1:01 ` Gao feng
2013-01-13 15:07 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8738yqiumg.fsf@xmission.com \
--to=ebiederm@xmission.com \
--cc=canqunzhang@gmail.com \
--cc=gaofeng@cn.fujitsu.com \
--cc=kaber@trash.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.