From: Daniel Lezcano <dlezcano@fr.ibm.com>
To: "Denis V. Lunev" <den@sw.ru>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>,
netdev@vger.kernel.org, Pavel Emelianov <xemul@sw.ru>,
Linux Containers <containers@lists.osdl.org>,
David Miller <davem@davemloft.net>
Subject: Re: [Devel] [PATCH 1/5] net: Modify all rtnetlink methods to only work in the initial namespace
Date: Wed, 10 Oct 2007 16:05:26 +0200 [thread overview]
Message-ID: <470CDC26.6010608@fr.ibm.com> (raw)
In-Reply-To: <470CC6F6.60706@sw.ru>
Denis V. Lunev wrote:
> Eric W. Biederman wrote:
>> Before I can enable rtnetlink to work in all network namespaces
>> I need to be certain that something won't break. So this
>> patch deliberately disables all of the rtnletlink methods in everything
>> except the initial network namespace. After the methods have been
>> audited this extra check can be disabled.
>>
> [...]
>> static int br_dump_ifinfo(struct sk_buff *skb, struct netlink_callback *cb)
>> {
>> + struct net *net = skb->sk->sk_net;
>> struct net_device *dev;
>> int idx;
>>
>
> I've read some code today greping 'init_net.loopback_dev' and found
> interesting non-trivial for me issue.
>
> Network namespace is extracted from the packet in two different ways in
> TCP. This is a socket for outgoing path and a device for incoming.
> Though, there are some places called uniformly both from incoming and
> outgoing path.
>
> Typical example is netfilters. They are called uniformly all around the
> code. The prototype is the following:
>
> static unsigned int reject6_target(struct sk_buff **pskb,
> const struct net_device *in,
> const struct net_device *out,
> unsigned int hooknum,
> const struct xt_target *target,
> const void *targinfo);
>
Thanks Denis for auditing the code.
As far as I see, struct net_device *in is NULL for outgoing traffic and
struct net_device *out is NULL for ingress traffic. Except for the
FORWARD rules where both are filled. If we are following network
namespace semantic, we should not have two network devices belonging to
two differents namespaces, right ?
In this case, the following line of code should be sufficient to
retrieve the network namespace, no ?
struct net *net = in?in->nd_net:out->nd_net;
> So, we are bound to the following options:
> - perform additional non-uniform hacks around to place 'struct net' into
> other and other structures like xt_target
> - add 7th parameter here and over
> - introduce an skb_net field in the 'struct sk_buff' making all code
> uniform, at least when we have an skb
>
> I think that this is not the last place with such a parameter list and
> we should make a decision at this point when the code in not mainline yet.
>
> As far as I understand, netfilters are not touched by the Eric and we
> can face some non-trivial problems there.
In Eric's git tree:
http://git.kernel.org/?p=linux/kernel/git/ebiederm/linux-2.6-netns.git
There are some modifications concerning
net/ipv4/netfiler/iptable_filter.c and at the ipt_hook function, there is:
struct net *net = (in?in:out)->nd_net;
> So, if my point about uniformity is valid, this patchset looks wrong and
> should be re-worked :(
As Eric said, we want to build the network namespace step by step,
taking care of not breaking the init network namespace.
If you want to make iptables per namespace or catch problems before the
code goes to Dave's tree, IMHO it will be more convenient to post to
containers@ the patches against netns49, where the modifications will be
in a network namespace big picture.
Regards.
-- Daniel
next prev parent reply other threads:[~2007-10-10 14:11 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-09-29 1:00 [PATCH 1/5] net: Modify all rtnetlink methods to only work in the initial namespace Eric W. Biederman
2007-09-29 1:02 ` [PATCH 2/5] net: Make rtnetlink infrastructure network namespace aware Eric W. Biederman
[not found] ` <m1hcle9td8.fsf-T1Yj925okcoyDheHMi7gv2pdwda3JcWeAL8bYrjMMd8@public.gmane.org>
2007-09-29 1:04 ` [PATCH 3/5] net: Make the netlink methods in rtnetlink handle multiple network namespaces Eric W. Biederman
2007-09-29 1:07 ` [PATCH 4/5] net: Make AF_PACKET " Eric W. Biederman
2007-09-29 1:08 ` [PATCH 5/5] net: Make AF_UNIX per network namespace safe Eric W. Biederman
2007-09-29 15:47 ` Patrick McHardy
2007-09-29 17:03 ` Eric W. Biederman
2007-09-29 17:50 ` Patrick McHardy
2007-09-29 15:44 ` [PATCH 2/5] net: Make rtnetlink infrastructure network namespace aware Patrick McHardy
2007-09-29 16:51 ` Eric W. Biederman
2007-09-29 17:48 ` Patrick McHardy
2007-09-29 21:00 ` Eric W. Biederman
2007-09-30 13:13 ` [Devel] " Denis V. Lunev
2007-09-30 15:39 ` Patrick McHardy
2007-10-01 8:26 ` [Devel] " Denis V. Lunev
2007-10-01 8:45 ` Eric W. Biederman
2007-10-10 12:35 ` [Devel] [PATCH 1/5] net: Modify all rtnetlink methods to only work in the initial namespace Denis V. Lunev
2007-10-10 14:05 ` Daniel Lezcano [this message]
2007-10-10 14:29 ` Denis V. Lunev
2007-10-10 19:37 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=470CDC26.6010608@fr.ibm.com \
--to=dlezcano@fr.ibm.com \
--cc=containers@lists.osdl.org \
--cc=davem@davemloft.net \
--cc=den@sw.ru \
--cc=ebiederm@xmission.com \
--cc=netdev@vger.kernel.org \
--cc=xemul@sw.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).