public inbox for netdev@vger.kernel.org
 help / color / mirror / Atom feed
* netns XFRM preview
@ 2008-11-21 15:21 Alexey Dobriyan
  2008-11-22  5:49 ` David Miller
  0 siblings, 1 reply; 2+ messages in thread
From: Alexey Dobriyan @ 2008-11-21 15:21 UTC (permalink / raw)
  To: davem; +Cc: herbert, kuznet, netdev, containters

I'm several days away from posting netns xfrm patchset which will make IPsec
to work inside netns container. There are still some tricky places which
aren't ready, but, anyway, here is big picture, so hopefully big misdesigns
can be found earlier:

1. add netns pointer to struct xfrm_state, struct xfrm_policy
	like conntracking, set in one place, write-once field,
	avoid many complications, very natural extension for policies.

2. per-netns xfrm_state_all list
3. per-netns xfrm_state_bydst, xfrm_state_bysrc, xfrm_state_byspi hashtables
	this could be stay one hashtable, but we a) get more complex
	"everything flushed" check on netns stop, b) make very, very sure
	iterators skip alien netns states,

	In per-netns case c) slightly more memory per-netns
	d) less state walking, less probable DoS possibilities

4. per-netns xfrm_state_num -- number of xfrm_states
5. per-netns km_waitq -- we don't make spurious wakeup __xfrm_lookup()
6. per-netns xfrm_policy_all list
7. per-netns xfrm_policy_byidx, xfrm_policy_bydst hashes
	see 3)

8. per-netns inexact policies list
9. per-netns policy counts
10. netns parameter in state flushing, policy flushing
	xfrm_state/xfrm_policy doesn't pin netns -- has to cleanup everything
	on netns stop

11. per-netns NETLINK_XFRM kernel socket
12. netns-ready PF_KEY sockets
13. netns-ready ah4, esp4, ah6, esp6
14. per-netns XFRM MIBs
15. per-netns and correct /proc/net/xfrm_stat

Kept as-is:
1. all sorts of locks, mutexes et al
	- not strictly necessary
	- not strictly necessary for first cut
	- relevant only to netns users (both of them :^)
	- when someone will notice contention, easy to make per-netns

2. xfrm_policy_afinfo() -- I'm trying hard to keep it as-is but ->dst_ops and
	garbage collecting can change, they whole idea of per-netns dst_ops
	seems like quite a hack.
3. xfrm_state_afinfo -- big pile of hooks and constant data
4. xfrm types, modes -- enabled by loading modules, system-wide thing
5. xfrm_state_genid -- as I understood it, it simply a cookie, that's only compared
	for equality/lesserness, the fact that it can be bumped by more than 1
	is not interesting.

One dust settles,
42. sysctls
43. policy migration
44. IPcomp

Again, this is a big picture, result is that IPsec traffic was exchanged with
netns container. Stay tuned.

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: netns XFRM preview
  2008-11-21 15:21 netns XFRM preview Alexey Dobriyan
@ 2008-11-22  5:49 ` David Miller
  0 siblings, 0 replies; 2+ messages in thread
From: David Miller @ 2008-11-22  5:49 UTC (permalink / raw)
  To: adobriyan; +Cc: herbert, kuznet, netdev, containters

From: Alexey Dobriyan <adobriyan@gmail.com>
Date: Fri, 21 Nov 2008 18:21:06 +0300

> I'm several days away from posting netns xfrm patchset which will make IPsec
> to work inside netns container. There are still some tricky places which
> aren't ready, but, anyway, here is big picture, so hopefully big misdesigns
> can be found earlier:

It looks fine as far as I can tell, especially for a first
pass.

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2008-11-22  5:49 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-11-21 15:21 netns XFRM preview Alexey Dobriyan
2008-11-22  5:49 ` David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox