From: ebiederm@xmission.com (Eric W. Biederman)
To: hadi@cyberus.ca
Cc: Patrick McHardy <kaber@trash.net>,
Linux Netdev List <netdev@vger.kernel.org>,
containers@lists.linux-foundation.org,
Netfilter Development Mailinglist
<netfilter-devel@vger.kernel.org>,
Ben Greear <greearb@candelatech.com>
Subject: Re: RFC: netfilter: nf_conntrack: add support for "conntrack zones"
Date: Mon, 22 Feb 2010 12:46:14 -0800 [thread overview]
Message-ID: <m13a0tf17t.fsf@fess.ebiederm.org> (raw)
In-Reply-To: <1263568754.23480.142.camel@bigi> (jamal's message of "Fri\, 15 Jan 2010 10\:19\:14 -0500")
jamal <hadi@cyberus.ca> writes:
>> > Agreed. But the major ones like iproute2 etc could be taught. We have
>> > namespaces in the kernel already, over a period of time I think changing
>> > the user space tools would a sensible evolution.
>>
>> Yes, that might be useful in any case. But I don't think it would
>> even work for iproute or other standalone programs, a process can't
>> associate to an existing namespace except through clone(). So it
>> needs to run as child of a process already associated with the
>> namespace.
>
> The mechanics are not there, yet. But if i had sufficient permission,
> and was able to find the namespaces when i ask and/or get events when it
> is created it should be an issue of sending it a message.
> The current approach to say migrate a veth via iproute2 requires we
> know the pid of the target namespace. Thats a usability issue.
> I tried to muck with namespaces and if you use a library like lxc
> you can do it - but it is a hack as it stands today (and merging
> iproute2 with lxc is questionable).
This is one of the long standing issues that we have always known
we needed to solve, but have not taken the time to do it. Now that
the need is more real it looks about time to solve this one.
There are currently two problems.
1) A process is needed to hold a reference to the network namespace.
2) We use pids which are an awkward way of talking about network
namespaces.
The solution I have been playing with involves.
- Using a file descriptor to refer to a network namespace.
- Using a trivial virtual filesystem to persistently hold onto
a namespace without the need of a process.
- Have a convention of mounting the fs at something like
/var/run/netns/<name>
That solves the naming problem, and it should allow iproute and
it's kin to have support without being closely integrated with
lxc or anything else that creates namespaces.
It is a big conversation, and it is something that has to done
right but it looks like the problem is finally real enough that
it is time to solve it.
Eric
next prev parent reply other threads:[~2010-02-22 20:46 UTC|newest]
Thread overview: 184+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-01-14 14:05 RFC: netfilter: nf_conntrack: add support for "conntrack zones" Patrick McHardy
[not found] ` <4B4F24AC.70105-dcUjhNyLwpNeoWH0uzbU5w@public.gmane.org>
2010-01-14 15:05 ` jamal
2010-01-14 15:05 ` jamal
2010-01-14 15:37 ` Patrick McHardy
2010-01-14 15:37 ` Patrick McHardy
[not found] ` <4B4F3A50.1050400-dcUjhNyLwpNeoWH0uzbU5w@public.gmane.org>
2010-01-14 17:33 ` jamal
2010-01-14 17:33 ` jamal
2010-01-15 10:15 ` Patrick McHardy
[not found] ` <4B50403A.6010507-dcUjhNyLwpNeoWH0uzbU5w@public.gmane.org>
2010-01-15 15:19 ` jamal
2010-01-15 15:19 ` jamal
2010-02-22 20:46 ` Eric W. Biederman
2010-02-22 20:46 ` Eric W. Biederman [this message]
2010-02-22 21:55 ` jamal
2010-02-22 23:17 ` Eric W. Biederman
[not found] ` <m1wry46es9.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-02-23 13:27 ` jamal
2010-02-23 14:07 ` Eric W. Biederman
2010-02-23 14:07 ` Eric W. Biederman
[not found] ` <m1iq9ocafv.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-02-23 14:20 ` jamal
2010-02-23 14:20 ` jamal
2010-02-23 20:00 ` Eric W. Biederman
2010-02-23 20:00 ` Eric W. Biederman
2010-02-23 23:09 ` jamal
2010-02-24 1:43 ` Eric W. Biederman
2010-02-24 1:43 ` Eric W. Biederman
2010-02-25 20:57 ` [RFC][PATCH] ns: Syscalls for better namespace sharing control Eric W. Biederman
2010-02-25 21:31 ` Daniel Lezcano
[not found] ` <4B86EC45.3060005-GANU6spQydw@public.gmane.org>
2010-02-25 21:49 ` Eric W. Biederman
2010-02-25 21:49 ` Eric W. Biederman
2010-02-25 22:13 ` Daniel Lezcano
[not found] ` <4B86F5EC.60902-GANU6spQydw@public.gmane.org>
2010-02-25 22:31 ` Eric W. Biederman
2010-02-25 22:31 ` Eric W. Biederman
[not found] ` <m1mxyx0yv7.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-02-25 22:13 ` Daniel Lezcano
2010-02-26 20:35 ` Eric W. Biederman
2010-02-26 20:35 ` Eric W. Biederman
2010-02-25 21:46 ` Matt Helsley
2010-02-25 21:54 ` Eric W. Biederman
[not found] ` <20100225214656.GS3604-52DBMbEzqgQ/wnmkkaCWp/UQ3DHhIser@public.gmane.org>
2010-02-25 21:54 ` Eric W. Biederman
2010-02-26 0:53 ` Eric W. Biederman
2010-02-26 0:53 ` Eric W. Biederman
2010-02-26 1:09 ` Matt Helsley
2010-02-26 1:26 ` Eric W. Biederman
[not found] ` <20100226010915.GA20106-52DBMbEzqgQ/wnmkkaCWp/UQ3DHhIser@public.gmane.org>
2010-02-26 1:26 ` Eric W. Biederman
2010-02-26 3:15 ` [RFC][PATCH] ns: Syscalls for better namespace sharing control. v2 Eric W. Biederman
[not found] ` <m18wagy9f3.fsf_-_-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-03-03 20:29 ` Jonathan Corbet
2010-03-03 20:29 ` Jonathan Corbet
[not found] ` <20100303132931.11afb659-vw3g6Xz/EtPk1uMJSBkQmQ@public.gmane.org>
2010-03-03 20:50 ` Eric W. Biederman
2010-03-03 20:50 ` Eric W. Biederman
[not found] ` <m1pr3t2fvl.fsf_-_-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-02-25 21:31 ` [RFC][PATCH] ns: Syscalls for better namespace sharing control Daniel Lezcano
2010-02-25 21:46 ` Matt Helsley
2010-02-26 1:09 ` Matt Helsley
2010-02-26 3:15 ` [RFC][PATCH] ns: Syscalls for better namespace sharing control. v2 Eric W. Biederman
2010-02-26 21:13 ` [RFC][PATCH] ns: Syscalls for better namespace sharing control Pavel Emelyanov
[not found] ` <4B883987.6090408-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2010-02-26 21:24 ` Eric W. Biederman
2010-02-26 21:24 ` Eric W. Biederman
2010-02-26 21:34 ` Pavel Emelyanov
[not found] ` <4B883E6F.1060907-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2010-02-26 21:42 ` Eric W. Biederman
2010-02-26 21:42 ` Eric W. Biederman
2010-02-26 21:58 ` Oren Laadan
[not found] ` <4B8843FE.4000404-eQaUEPhvms7ENvBUuze7eA@public.gmane.org>
2010-02-26 22:16 ` Eric W. Biederman
2010-02-26 22:16 ` Eric W. Biederman
2010-02-26 22:52 ` Oren Laadan
[not found] ` <4B885093.4070807-eQaUEPhvms7ENvBUuze7eA@public.gmane.org>
2010-02-26 23:13 ` Eric W. Biederman
2010-02-26 23:13 ` Eric W. Biederman
[not found] ` <m1zl2vtzg4.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-02-26 22:52 ` Oren Laadan
[not found] ` <m13a0nwu6p.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-02-26 21:58 ` Oren Laadan
2010-02-27 8:30 ` Pavel Emelyanov
2010-02-27 8:30 ` Pavel Emelyanov
2010-02-27 9:04 ` Eric W. Biederman
[not found] ` <m1mxyvrqvk.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-02-27 9:21 ` Pavel Emelyanov
2010-02-27 9:42 ` Eric W. Biederman
[not found] ` <m1bpfbqajn.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-02-27 16:16 ` Pavel Emelyanov
2010-02-27 16:16 ` Pavel Emelyanov
[not found] ` <4B894564.7080104-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2010-02-27 19:08 ` Eric W. Biederman
2010-02-27 19:08 ` Eric W. Biederman
[not found] ` <m1iq9io5sc.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-02-27 19:29 ` Pavel Emelyanov
2010-02-27 19:29 ` Pavel Emelyanov
2010-02-27 19:44 ` Eric W. Biederman
2010-02-28 22:05 ` Daniel Lezcano
[not found] ` <4B8AE8C1.1030305-GANU6spQydw@public.gmane.org>
2010-03-01 19:24 ` Eric W. Biederman
2010-03-01 21:42 ` Eric W. Biederman
2010-03-02 15:03 ` Pavel Emelyanov
2010-03-03 20:59 ` Oren Laadan
2010-03-01 19:24 ` Eric W. Biederman
2010-03-01 21:42 ` Eric W. Biederman
[not found] ` <m1ljebwwgd.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-03-02 13:10 ` Cedric Le Goater
2010-03-02 13:10 ` Cedric Le Goater
2010-03-02 15:03 ` Pavel Emelyanov
2010-03-02 15:14 ` Jan Engelhardt
2010-03-02 21:45 ` Eric W. Biederman
[not found] ` <alpine.LSU.2.01.1003021613570.17303-SHaQjdQMGhDmsUXKMKRlFA@public.gmane.org>
2010-03-02 21:45 ` Eric W. Biederman
[not found] ` <4B8D28CF.8060304-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2010-03-02 15:14 ` Jan Engelhardt
2010-03-02 21:19 ` Sukadev Bhattiprolu
2010-03-02 21:19 ` Sukadev Bhattiprolu
2010-03-02 22:13 ` Eric W. Biederman
[not found] ` <m1y6iaqsmm.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-03-03 0:07 ` Sukadev Bhattiprolu
2010-03-03 0:07 ` Sukadev Bhattiprolu
2010-03-03 0:46 ` Eric W. Biederman
2010-03-03 15:38 ` Serge E. Hallyn
2010-03-03 19:47 ` Eric W. Biederman
2010-03-04 21:45 ` Eric W. Biederman
2010-03-04 22:55 ` Jan Engelhardt
[not found] ` <m1pr3j92x8.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-03-04 22:55 ` Jan Engelhardt
[not found] ` <m13a0hmblr.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-03-04 21:45 ` Eric W. Biederman
[not found] ` <20100303153800.GA937-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2010-03-03 19:47 ` Eric W. Biederman
2010-03-03 16:50 ` Pavel Emelyanov
[not found] ` <4B8E9370.3050300-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2010-03-03 20:16 ` Eric W. Biederman
2010-03-03 20:16 ` Eric W. Biederman
[not found] ` <m17hptjh3m.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-03-05 19:18 ` Pavel Emelyanov
2010-03-05 19:18 ` Pavel Emelyanov
[not found] ` <4B9158F5.5040205-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2010-03-05 20:26 ` Eric W. Biederman
2010-03-05 20:26 ` Eric W. Biederman
2010-03-06 14:47 ` Daniel Lezcano
[not found] ` <4B926B1B.5070207-GANU6spQydw@public.gmane.org>
2010-03-06 20:48 ` Eric W. Biederman
[not found] ` <m1aaulyy5c.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-03-06 21:26 ` Daniel Lezcano
2010-03-08 8:32 ` Eric W. Biederman
2010-03-08 16:54 ` Daniel Lezcano
2010-03-08 17:29 ` Eric W. Biederman
2010-03-08 19:57 ` Daniel Lezcano
2010-03-08 20:24 ` Eric W. Biederman
2010-03-08 20:42 ` Daniel Lezcano
2010-03-08 20:47 ` Eric W. Biederman
2010-03-08 21:12 ` Daniel Lezcano
[not found] ` <4B956852.7050804-GANU6spQydw@public.gmane.org>
2010-03-08 21:25 ` Eric W. Biederman
2010-03-08 21:25 ` Eric W. Biederman
2010-03-08 21:49 ` Serge E. Hallyn
[not found] ` <20100308214945.GA26617-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2010-03-08 22:24 ` Eric W. Biederman
2010-03-08 22:24 ` Eric W. Biederman
[not found] ` <m1lje2qzf4.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-03-08 21:49 ` Serge E. Hallyn
2010-03-09 10:03 ` Daniel Lezcano
2010-03-10 21:16 ` Daniel Lezcano
2010-03-09 10:03 ` Daniel Lezcano
[not found] ` <4B961D09.4010802-GANU6spQydw@public.gmane.org>
2010-03-09 10:13 ` Eric W. Biederman
2010-03-09 10:13 ` Eric W. Biederman
2010-03-09 10:26 ` Daniel Lezcano
[not found] ` <m1ocixn6q3.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-03-09 10:26 ` Daniel Lezcano
2010-03-10 21:16 ` Daniel Lezcano
[not found] ` <m1sk8ar15b.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-03-08 21:12 ` Daniel Lezcano
[not found] ` <4B95611C.5060403-GANU6spQydw@public.gmane.org>
2010-03-08 20:47 ` Eric W. Biederman
[not found] ` <m11vfusgsa.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-03-08 20:42 ` Daniel Lezcano
[not found] ` <4B9556A9.60206-GANU6spQydw@public.gmane.org>
2010-03-08 20:24 ` Eric W. Biederman
[not found] ` <m11vfuvi1t.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-03-08 19:57 ` Daniel Lezcano
[not found] ` <4B952BBE.6070507-GANU6spQydw@public.gmane.org>
2010-03-08 17:29 ` Eric W. Biederman
[not found] ` <m1fx4bxlfy.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-03-08 16:54 ` Daniel Lezcano
2010-03-08 17:07 ` Serge E. Hallyn
2010-03-08 17:07 ` Serge E. Hallyn
[not found] ` <20100308170719.GD6399-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2010-03-08 17:35 ` Eric W. Biederman
2010-03-08 17:35 ` Eric W. Biederman
[not found] ` <m1pr3eu36u.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-03-08 17:47 ` Serge E. Hallyn
2010-03-08 17:47 ` Serge E. Hallyn
[not found] ` <4B92C886.9020507-GANU6spQydw@public.gmane.org>
2010-03-08 8:32 ` Eric W. Biederman
[not found] ` <m1ocj6qljj.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-03-03 15:38 ` Serge E. Hallyn
2010-03-03 16:50 ` Pavel Emelyanov
[not found] ` <20100303000743.GA13744-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2010-03-03 0:46 ` Eric W. Biederman
[not found] ` <20100302211942.GA17816-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2010-03-02 22:13 ` Eric W. Biederman
2010-03-03 20:59 ` Oren Laadan
2010-03-03 21:05 ` Eric W. Biederman
[not found] ` <m18wa9glpo.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-05-27 12:06 ` [Devel] " Enrico Weigelt
[not found] ` <4B8ECD99.3040107-eQaUEPhvms7ENvBUuze7eA@public.gmane.org>
2010-03-03 21:05 ` Eric W. Biederman
[not found] ` <m1ljeempk6.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-02-28 22:05 ` Daniel Lezcano
[not found] ` <4B89727C.9040602-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2010-02-27 19:44 ` Eric W. Biederman
[not found] ` <4B88E431.6040609-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2010-02-27 9:42 ` Eric W. Biederman
[not found] ` <4B88D80A.8010701-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2010-02-27 9:04 ` Eric W. Biederman
[not found] ` <m1bpfbwuze.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-02-26 21:34 ` Pavel Emelyanov
2010-02-26 21:35 ` Pavel Emelyanov
2010-02-26 21:49 ` Eric W. Biederman
[not found] ` <4B883EAF.5020607-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2010-02-26 21:49 ` Eric W. Biederman
2010-05-27 12:28 ` [Devel] " Enrico Weigelt
[not found] ` <20100527122800.GC31480-q9I3ByPDOfiE+EvaaNYduQ@public.gmane.org>
2010-05-27 12:44 ` Daniel Lezcano
[not found] ` <4BFE6938.50607-GANU6spQydw@public.gmane.org>
2010-05-27 15:42 ` Enrico Weigelt
2010-02-25 20:57 ` Eric W. Biederman
[not found] ` <m1r5obbu2w.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-02-23 23:09 ` RFC: netfilter: nf_conntrack: add support for "conntrack zones" jamal
2010-02-23 23:49 ` Matt Helsley
2010-02-23 23:49 ` Matt Helsley
2010-02-24 1:32 ` Eric W. Biederman
2010-02-24 1:39 ` Serge E. Hallyn
[not found] ` <m18waj2zc8.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-02-24 1:39 ` Serge E. Hallyn
[not found] ` <20100223234942.GO3604-52DBMbEzqgQ/wnmkkaCWp/UQ3DHhIser@public.gmane.org>
2010-02-24 1:32 ` Eric W. Biederman
2010-02-22 23:17 ` Eric W. Biederman
[not found] ` <m13a0tf17t.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-02-22 21:55 ` jamal
2010-01-15 10:15 ` Patrick McHardy
2010-01-14 18:32 ` Ben Greear
[not found] ` <4B4F6332.50606-my8/4N5VtI7c+919tysfdA@public.gmane.org>
2010-01-15 15:03 ` jamal
2010-01-15 15:03 ` jamal
-- strict thread matches above, loose matches on Subject: below --
2010-01-14 14:05 Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m13a0tf17t.fsf@fess.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=containers@lists.linux-foundation.org \
--cc=greearb@candelatech.com \
--cc=hadi@cyberus.ca \
--cc=kaber@trash.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.