From mboxrd@z Thu Jan 1 00:00:00 1970 From: ebiederm@xmission.com (Eric W. Biederman) Subject: Re: RFC: netfilter: nf_conntrack: add support for "conntrack zones" Date: Mon, 22 Feb 2010 15:17:58 -0800 Message-ID: References: <4B4F24AC.70105@trash.net> <1263481549.23480.24.camel@bigi> <4B4F3A50.1050400@trash.net> <1263490403.23480.109.camel@bigi> <4B50403A.6010507@trash.net> <1263568754.23480.142.camel@bigi> <1266875729.3673.12.camel@bigi> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Patrick McHardy , Linux Netdev List , containers@lists.linux-foundation.org, Netfilter Development Mailinglist , Ben Greear To: hadi@cyberus.ca Return-path: Received: from out02.mta.xmission.com ([166.70.13.232]:32850 "EHLO out02.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755228Ab0BVXSJ (ORCPT ); Mon, 22 Feb 2010 18:18:09 -0500 In-Reply-To: <1266875729.3673.12.camel@bigi> (jamal's message of "Mon\, 22 Feb 2010 16\:55\:29 -0500") Sender: netfilter-devel-owner@vger.kernel.org List-ID: jamal writes: > On Mon, 2010-02-22 at 12:46 -0800, Eric W. Biederman wrote: >> jamal writes: > >> >> This is one of the long standing issues that we have always known >> we needed to solve, but have not taken the time to do it. Now that >> the need is more real it looks about time to solve this one. >> >> There are currently two problems. >> 1) A process is needed to hold a reference to the network namespace. >> 2) We use pids which are an awkward way of talking about network >> namespaces. >> >> The solution I have been playing with involves. >> - Using a file descriptor to refer to a network namespace. >> - Using a trivial virtual filesystem to persistently hold onto >> a namespace without the need of a process. >> - Have a convention of mounting the fs at something like >> /var/run/netns/ >> > > I didnt quiet follow how i could use the above to do: > "ip ns route add blah" from namespace0. > > I tend to think in packets and wires instead of files; > How about just allowing a "control" channel from which > i could discover the namespace? > Example, assuming i have the right permissions: > 1) listen to async events example on a multicast bus when > a namespace is created or destroyed. Provide me a little more info on > the created namespace such as its pid, name(?), types of namespace, etc > 2) send a query to dump existing namespace or query by name, id etc. > I get the same details as above. > > using genetlink should provide you with sufficient ability to do this. What I am thinking is: "ip ns route add blah" is: fd = open("/var/run/netns/"); sys_setns(fd); /* Like unshare but takes an existing namespace */ /* Then the rest of the existing ip command */ "ip ns list" is: dfd = open("/var/run/netns", O_DIRECTORY); getdents(dfd, buf, count); "ip ns new " is: unshare(CLONE_NEWNS); fd = nsfd(NETNS); mkdir("/var/run/netns/"); mount("none", "/var/run/netns/", "ns", 0, fd); Using unix domain names means that which namespaces you see is under control of userspace. Which allows for nested containers (something I use today), and ultimately container migration. Using genetlink userspace doesn't result in a nestable implementation unless I introduce yet another namespace, ugh. Eric