netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Herbert Poetzl <herbert@13thfloor.at>
To: dlezcano@fr.ibm.com
Cc: containers@lists.osdl.org, netdev@vger.kernel.org
Subject: Re: [patch 00/12] net namespace : L3 namespace - introduction
Date: Sat, 20 Jan 2007 05:48:12 +0100	[thread overview]
Message-ID: <20070120044812.GA6123@MAIL.13thfloor.at> (raw)
In-Reply-To: <20070119154714.439706567@localhost.localdomain>

On Fri, Jan 19, 2007 at 04:47:14PM +0100, dlezcano@fr.ibm.com wrote:
> This patchset provide a network isolation similar at what
> Linux-Vserver provides. It is based on the L2 namespaces and relies on
> the mechanisms provided by the namespace. This L3 namespaces does not
> aim to bring full virtualization for the network, it provides an IP
> isolation which can be reused for Linux-Vserver, jailed application or
> application containers.
> 
> A L3 namespace are always L2 s' childs and they can not create more
> network namespaces, furthermore, they lose their NET_ADMIN
> capability. They share their parent's network ressources. From the
> parent namespace, IP addresses are created and assigned to the
> different L3 childs. From this point, L3 namespaces can use their
> assigned IP address and all computed broadcast addresses.
  ~~~~~~~~~~~~~~~~~~~

okay, I conclude that this only handles a single address
for now. what are your plans to handle entire sets?

TIA,
Herbert

> Because the L3 namespace relies on the L2 virtualization mechanisms,
> it is possible to have several L3 namespaces listening on
> INADDR_ANY:port without conflict, that's allow to run several server
> without modifying the network configuration.
> 
> The loopback is a shared device between all L3 namespaces. To ensure
> the 127.0.0.1 address isolation, the sender store its namespace into
> the packet, so when the packet arrives, the destination namespace is
> already set, because "source" == "destination". By this way, it is
> easy to disable the loopback isolation and let the application to talk
> with application outside of the namespace via the 127.0.0.1 because we
> consider them trusted (like portmap).
> 
> The ifconfig / ip commands will only show IP addresses assigned to the
> L3 namespace. When a L3 namespace dies, the assigned IP address is
> released to its parent.
> 
> At the IP level, when a packet arrives, the L3 network namespace
> destination is retrieved from the destination address.
> 
> At the bind time, the address is checked against the assigned IP
> address.
> 
> -- 
> _______________________________________________
> Containers mailing list
> Containers@lists.osdl.org
> https://lists.osdl.org/mailman/listinfo/containers

  parent reply	other threads:[~2007-01-20  5:12 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-01-19 15:47 [patch 00/12] net namespace : L3 namespace - introduction dlezcano
2007-01-19 15:47 ` [patch 01/12] net namespace : initialize init process to level 2 dlezcano
2007-01-19 15:47 ` [patch 02/12] net namespace : store L2 parent namespace dlezcano
2007-01-19 15:47 ` [patch 03/12] net namespace : share network ressources L2 with L3 dlezcano
2007-01-19 15:47 ` [patch 04/12] net namespace : isolate the inet device dlezcano
2007-01-19 15:47 ` [patch 05/12] net namespace : ioctl to push ifa to net namespace l3 dlezcano
2007-01-20  4:52   ` Herbert Poetzl
2007-01-20 11:48     ` Daniel Lezcano
2007-01-19 15:47 ` [patch 06/12] net namespace : check bind address dlezcano
2007-01-19 15:47 ` [patch 07/12] net namespace: set source addresse dlezcano
2007-01-19 15:47 ` [patch 08/12] net namespace : find namespace by addr dlezcano
2007-01-20  4:56   ` Herbert Poetzl
2007-01-19 15:47 ` [patch 09/12] net namespace : make loopback address always visible dlezcano
2007-01-19 15:47 ` [patch 10/12] net namespace : add the loopback isolation dlezcano
2007-01-19 15:47 ` [patch 11/12] net namespace : debugfs - add net_ns debugfs dlezcano
2007-01-19 15:47 ` [patch 12/12] net namespace : Add broadcasting dlezcano
2007-01-20  4:58   ` Herbert Poetzl
2007-01-20 11:54     ` Daniel Lezcano
2007-01-20  4:48 ` Herbert Poetzl [this message]
2007-01-20 11:42   ` [patch 00/12] net namespace : L3 namespace - introduction Daniel Lezcano

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20070120044812.GA6123@MAIL.13thfloor.at \
    --to=herbert@13thfloor.at \
    --cc=containers@lists.osdl.org \
    --cc=dlezcano@fr.ibm.com \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).