[PATCH 00/25] Conntracking and NAT in netns

[PATCH 00/25] Conntracking and NAT in netns

[Alexey Dobriyan]

Hi, patchbomb below makes significant parts of connection tracking and
NAT code usable in netns and independent from other netns.

Status is that it is lightly tested but more or less works, I used it on
a box which provides NAT for another with all netdevices moved to netns,
routing and iptables rules set up and rules flushed in init_net.

So far so good.

Weak points:
a) races during netns destruction or conntrack modules unload
   (see more in patches)
b) grabbing netns from skb->dev or skb->dst->dev
   these places should be checked with extreme scrunity :-\
c) some stuff not converted (pptp, h323) -- it's like 10 minutes to make
   a patch and full day to setup and test it :^)
d) IPv6 conntracking wasn't tested.
e) ordering probably should be redone (or it shouldn't since netfilter
   is banned in netns as is, so nobody will care)

Re: [PATCH 00/25] Conntracking and NAT in netns

[Daniel Lezcano]

Alexey Dobriyan wrote:
> Hi, patchbomb below makes significant parts of connection tracking and
> NAT code usable in netns and independent from other netns.
> 
> Status is that it is lightly tested but more or less works, I used it on
> a box which provides NAT for another with all netdevices moved to netns,
> routing and iptables rules set up and rules flushed in init_net.
> 
> So far so good.
> 
> Weak points:
> a) races during netns destruction or conntrack modules unload
>    (see more in patches)
> b) grabbing netns from skb->dev or skb->dst->dev
>    these places should be checked with extreme scrunity :-\
> c) some stuff not converted (pptp, h323) -- it's like 10 minutes to make
>    a patch and full day to setup and test it :^)
> d) IPv6 conntracking wasn't tested.
> e) ordering probably should be redone (or it shouldn't since netfilter
>    is banned in netns as is, so nobody will care)

You describe this patchset as no finished and there is a patch to not be 
applied, shall I assume it is a RFC ?

In any case, thanks Alexey for this patchset, I will it review tomorrow.

   -- Daniel

Re: [PATCH 00/25] Conntracking and NAT in netns

[Alexey Dobriyan]

On Sun, Jun 22, 2008 at 11:41:56PM +0200, Daniel Lezcano wrote:
> Alexey Dobriyan wrote:
>> Hi, patchbomb below makes significant parts of connection tracking and
>> NAT code usable in netns and independent from other netns.
>> Status is that it is lightly tested but more or less works, I used it on
>> a box which provides NAT for another with all netdevices moved to netns,
>> routing and iptables rules set up and rules flushed in init_net.
>> So far so good.
>> Weak points:
>> a) races during netns destruction or conntrack modules unload
>>    (see more in patches)
>> b) grabbing netns from skb->dev or skb->dst->dev
>>    these places should be checked with extreme scrunity :-\
>> c) some stuff not converted (pptp, h323) -- it's like 10 minutes to make
>>    a patch and full day to setup and test it :^)
>> d) IPv6 conntracking wasn't tested.
>> e) ordering probably should be redone (or it shouldn't since netfilter
>>    is banned in netns as is, so nobody will care)
>
> You describe this patchset as no finished and there is a patch to not be 
> applied, shall I assume it is a RFC ?

Well, more or less. It's something like 90% similar to final thing
unless somebody will find some serious issue.

Patch to not be applied (yet) is for people wanting to try these patches
and not waste time fixing "iptables doesn't work" problem.

Re: [PATCH 00/25] Conntracking and NAT in netns

[Patrick McHardy]

Alexey Dobriyan wrote:
> Hi, patchbomb below makes significant parts of connection tracking and
> NAT code usable in netns and independent from other netns.
> 
> Status is that it is lightly tested but more or less works, I used it on
> a box which provides NAT for another with all netdevices moved to netns,
> routing and iptables rules set up and rules flushed in init_net.

OK, I assume "Do not apply" applies to all patches then.

> So far so good.
> 
> Weak points:
> a) races during netns destruction or conntrack modules unload
>    (see more in patches)
> b) grabbing netns from skb->dev or skb->dst->dev
>    these places should be checked with extreme scrunity :-\

Will do.

> c) some stuff not converted (pptp, h323) -- it's like 10 minutes to make
>    a patch and full day to setup and test it :^)
> d) IPv6 conntracking wasn't tested.
 >
> e) ordering probably should be redone (or it shouldn't since netfilter
>    is banned in netns as is, so nobody will care)

I think its most important that its bisectable for the non-ns
case. So thats OK.