From: Daniel Lezcano <dlezcano@fr.ibm.com>
To: devel@openvz.org
Cc: "Eric W. Biederman" <ebiederm@xmission.com>,
Linux Containers <containers@lists.osdl.org>,
hadi@cyberus.ca, Stephen Hemminger <shemminger@osdl.org>,
netdev@vger.kernel.org
Subject: Re: [Devel] Re: Network virtualization/isolation
Date: Wed, 29 Nov 2006 23:10:39 +0100 [thread overview]
Message-ID: <456E055F.8020100@fr.ibm.com> (raw)
In-Reply-To: <456DEBAC.4060106@hp.com>
Brian Haley wrote:
> Eric W. Biederman wrote:
>> I think for cases across network socket namespaces it should
>> be a matter for the rules, to decide if the connection should
>> happen and what error code to return if the connection does not
>> happen.
>>
>> There is a potential in this to have an ambiguous case where two
>> applications can be listening for connections on the same socket
>> on the same port and both will allow the connection. If that
>> is the case I believe the proper definition is the first socket
>> that we find that will accept the connection gets the connection.
No. If you try to connect, the destination IP address is assigned to a
network namespace. This network namespace is used to leave the listening
socket ambiguity.
>
> Wouldn't you want to catch this at bind() and/or configuration time and
> fail? Having overlapping namespaces/rules seems undesirable, since as
> Herbert said, can get you "unexpected behaviour".
Overlapping is not a problem, you can have several sockets binded on the
same INADDR_ANY/port without ambiguity because the network namespace
pointer is added as a new key for sockets lookup, (src addr, src port,
dst addr, dst port, net ns pointer). The bind should not be forced to a
specific address because you will not be able to connect via 127.0.0.1.
>
>> I think with the appropriate set of rules it provides what is needed
>> for application migration. I.e. 127.0.0.1 can be filtered so that
>> you can only connect to sockets in your current container.
>>
>> It does get a little odd because it does allow for the possibility
>> that you can have multiple connected sockets with same source ip,
>> source port, destination ip, destination port. If the rules are
>> setup appropriately. I don't see that peculiarity being visible on
>> the outside network so it shouldn't be a problem.
>
> So if they're using the same protocol (eg TCP), how is it decided which
> one gets an incoming packet? Maybe I'm missing something as I don't
> understand your inside/outside network reference - is that to the
> loopback address comment in the previous paragraph?
The sockets for l3 isolation are isolated like the l2 (this is common
code). The difference is where the network namespace is found and used.
At the layer 2, it is at the network device level where the namespace is
found. At the layer 3, from the IP destination. So when you arrive to
sockets level, you have the network namespace packet destination
information and you search for sockets related to the specific namespace.
-- Daniel
next prev parent reply other threads:[~2006-11-29 22:11 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-10-25 15:51 Network virtualization/isolation Daniel Lezcano
2006-10-23 20:01 ` Stephen Hemminger
2006-10-26 9:44 ` Daniel Lezcano
2006-10-26 15:56 ` Stephen Hemminger
2006-10-26 22:16 ` Daniel Lezcano
2006-10-27 7:34 ` Dmitry Mishin
2006-10-27 9:10 ` Daniel Lezcano
2006-11-01 14:35 ` jamal
2006-11-01 16:13 ` Daniel Lezcano
2006-11-14 15:17 ` Daniel Lezcano
2006-11-14 18:12 ` James Morris
2006-11-15 9:56 ` Daniel Lezcano
2006-11-22 12:00 ` Daniel Lezcano
2006-11-25 9:09 ` Eric W. Biederman
2006-11-28 14:15 ` Daniel Lezcano
2006-11-28 16:51 ` Eric W. Biederman
2006-11-28 17:37 ` Herbert Poetzl
2006-11-28 20:26 ` Daniel Lezcano
2006-11-28 21:50 ` Eric W. Biederman
2006-11-29 5:54 ` Herbert Poetzl
2006-11-29 20:21 ` Brian Haley
2006-11-29 22:10 ` Daniel Lezcano [this message]
2006-11-30 16:15 ` [Devel] " Vlad Yasevich
2006-11-30 16:38 ` Daniel Lezcano
2006-11-30 17:24 ` Herbert Poetzl
2006-12-03 12:26 ` jamal
2006-12-03 14:13 ` jamal
2006-12-03 16:00 ` Eric W. Biederman
2006-12-04 15:19 ` Dmitry Mishin
2006-12-04 15:45 ` Eric W. Biederman
2006-12-04 16:43 ` Herbert Poetzl
2006-12-04 16:58 ` Eric W. Biederman
2006-12-04 17:02 ` Dmitry Mishin
2006-12-04 17:19 ` Herbert Poetzl
2006-12-04 17:41 ` Daniel Lezcano
2006-12-04 12:15 ` Eric W. Biederman
2006-12-04 13:44 ` jamal
2006-12-04 15:35 ` Eric W. Biederman
2006-12-04 16:00 ` Dmitry Mishin
2006-12-04 16:52 ` Eric W. Biederman
2006-12-06 11:54 ` [Devel] " Kirill Korotaev
2006-12-06 18:30 ` Herbert Poetzl
2006-12-08 19:57 ` Eric W. Biederman
2006-12-09 3:50 ` Herbert Poetzl
2006-12-09 6:13 ` Andrew Morton
2006-12-09 6:35 ` Herbert Poetzl
2006-12-09 21:18 ` Dmitry Mishin
2006-12-09 22:34 ` Kir Kolyshkin
2006-12-10 2:21 ` Herbert Poetzl
2006-12-09 8:07 ` Eric W. Biederman
2006-12-09 11:27 ` Tomasz Torcz
2006-12-09 19:04 ` Herbert Poetzl
2006-12-03 16:37 ` Herbert Poetzl
2006-12-03 16:58 ` jamal
2006-12-04 10:18 ` Daniel Lezcano
2006-12-04 13:22 ` jamal
2006-12-02 11:29 ` Kari Hurtta
2006-12-02 11:49 ` Kari Hurtta
2006-11-29 5:58 ` Herbert Poetzl
2006-11-25 8:21 ` Eric W. Biederman
2006-11-26 18:34 ` Herbert Poetzl
2006-11-26 19:41 ` Ben Greear
2006-11-26 20:52 ` Eric W. Biederman
2006-11-25 8:27 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=456E055F.8020100@fr.ibm.com \
--to=dlezcano@fr.ibm.com \
--cc=containers@lists.osdl.org \
--cc=devel@openvz.org \
--cc=ebiederm@xmission.com \
--cc=hadi@cyberus.ca \
--cc=netdev@vger.kernel.org \
--cc=shemminger@osdl.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).