[patch net-next] vlan: Don't allow vlan devices to change network namespaces.

[patch net-next] vlan: Don't allow vlan devices to change network namespaces.

[Chen Weilong]

From: Weilong Chen <chenweilong@huawei.com>

Like bonding, vlan as netdevice doesn't cross netns boundaries.

Vlan port and vlan itself live in same netns.

Signed-off-by: Weilong Chen <chenweilong@huawei.com>
---
 net/8021q/vlan_dev.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c
index 733ec28..2ef4a54 100644
--- a/net/8021q/vlan_dev.c
+++ b/net/8021q/vlan_dev.c
@@ -685,6 +685,9 @@ static netdev_features_t vlan_dev_fix_features(struct net_device *dev,
 	features |= old_features & NETIF_F_SOFT_FEATURES;
 	features |= NETIF_F_LLTX;
 
+	/* Don't allow vlan devices to change network namespaces. */
+	features |= NETIF_F_NETNS_LOCAL;
+
 	return features;
 }
 
-- 
1.7.12

Re: [patch net-next] vlan: Don't allow vlan devices to change network namespaces.

[Nicolas Dichtel]

Le 22/04/2014 14:43, Chen Weilong a écrit :
> From: Weilong Chen <chenweilong@huawei.com>
>
> Like bonding, vlan as netdevice doesn't cross netns boundaries.
>
> Vlan port and vlan itself live in same netns.
>
> Signed-off-by: Weilong Chen <chenweilong@huawei.com>
Do you propose this patch because you've seen bugs?
I think that it's interesting to have this x-netns feature.


Regards,
Nicolas

Re: [patch net-next] vlan: Don't allow vlan devices to change network namespaces.

[Eric Dumazet]

On Tue, 2014-04-22 at 20:43 +0800, Chen Weilong wrote:
> From: Weilong Chen <chenweilong@huawei.com>
> 
> Like bonding, vlan as netdevice doesn't cross netns boundaries.
> 
> Vlan port and vlan itself live in same netns.

Please explain why you believe it should be like that.

bonding and vlan have quite different purpose, so your changelog is
quite obscure.

We had a discussion like this one with macvlan, and prior patch was
rejected.

Re: [patch net-next] vlan: Don't allow vlan devices to change network namespaces.

[chenweilong]

On 2014/4/22 22:26, Eric Dumazet wrote:
> On Tue, 2014-04-22 at 20:43 +0800, Chen Weilong wrote:
>> From: Weilong Chen <chenweilong@huawei.com>
>>
>> Like bonding, vlan as netdevice doesn't cross netns boundaries.
>>
>> Vlan port and vlan itself live in same netns.
> 
> Please explain why you believe it should be like that.
> 
> bonding and vlan have quite different purpose, so your changelog is
> quite obscure.
> 
> We had a discussion like this one with macvlan, and prior patch was
> rejected.
> 
> 
> 
> 
This idea comes from the different result of two changing namespace orders.
Test on eth1 and its vlan eth1.5, move them form default ns to a new ns called net0.
1.move eth1 first,and then eth1.5;
2.move eth1.5 first, and then eth1;
As a network manager, I will be happy they both work, I don't care about the orders.
But, 1) doesn't work, if eth1 was moved to other ns, all related vlans were unregisted.
you need to create a new eth1.5 in net0.
And, 2) is not safe, if someone forgets to move eth1, eth1.5 will not work, making
things complex.

So what's the better order ?
I prefer 1), when a vlan dev is setup, it has a namespace, and belongs to it,
When somebody moves it, it should say 'hey boy, don't move me,I like here :0'

Thanks,
Weilong

Re: [patch net-next] vlan: Don't allow vlan devices to change network namespaces.

[Nicolas Dichtel]

Le 23/04/2014 04:40, chenweilong a écrit :
> On 2014/4/22 22:26, Eric Dumazet wrote:
>> On Tue, 2014-04-22 at 20:43 +0800, Chen Weilong wrote:
>>> From: Weilong Chen <chenweilong@huawei.com>
>>>
>>> Like bonding, vlan as netdevice doesn't cross netns boundaries.
>>>
>>> Vlan port and vlan itself live in same netns.
>>
>> Please explain why you believe it should be like that.
>>
>> bonding and vlan have quite different purpose, so your changelog is
>> quite obscure.
>>
>> We had a discussion like this one with macvlan, and prior patch was
>> rejected.
>>
>>
>>
>>
> This idea comes from the different result of two changing namespace orders.
> Test on eth1 and its vlan eth1.5, move them form default ns to a new ns called net0.
> 1.move eth1 first,and then eth1.5;
> 2.move eth1.5 first, and then eth1;
> As a network manager, I will be happy they both work, I don't care about the orders.
> But, 1) doesn't work, if eth1 was moved to other ns, all related vlans were unregisted.
> you need to create a new eth1.5 in net0.
> And, 2) is not safe, if someone forgets to move eth1, eth1.5 will not work, making
> things complex.
We have to fix this case, because it is a valid use case to have eth1.5 in net0
and eth1 in another ns.

>
> So what's the better order ?
> I prefer 1), when a vlan dev is setup, it has a namespace, and belongs to it,
> When somebody moves it, it should say 'hey boy, don't move me,I like here :0'
>
> Thanks,
> Weilong

Re: [patch net-next] vlan: Don't allow vlan devices to change network namespaces.

[chenweilong]

On 2014/4/23 15:23, Nicolas Dichtel wrote:
> Le 23/04/2014 04:40, chenweilong a écrit :
>> On 2014/4/22 22:26, Eric Dumazet wrote:
>>> On Tue, 2014-04-22 at 20:43 +0800, Chen Weilong wrote:
>>>> From: Weilong Chen <chenweilong@huawei.com>
>>>>
>>>> Like bonding, vlan as netdevice doesn't cross netns boundaries.
>>>>
>>>> Vlan port and vlan itself live in same netns.
>>>
>>> Please explain why you believe it should be like that.
>>>
>>> bonding and vlan have quite different purpose, so your changelog is
>>> quite obscure.
>>>
>>> We had a discussion like this one with macvlan, and prior patch was
>>> rejected.
>>>
>>>
>>>
>>>
>> This idea comes from the different result of two changing namespace orders.
>> Test on eth1 and its vlan eth1.5, move them form default ns to a new ns called net0.
>> 1.move eth1 first,and then eth1.5;
>> 2.move eth1.5 first, and then eth1;
>> As a network manager, I will be happy they both work, I don't care about the orders.
>> But, 1) doesn't work, if eth1 was moved to other ns, all related vlans were unregisted.
>> you need to create a new eth1.5 in net0.
>> And, 2) is not safe, if someone forgets to move eth1, eth1.5 will not work, making
>> things complex.
> We have to fix this case, because it is a valid use case to have eth1.5 in net0
> and eth1 in another ns.
> 
eth1.5 can receive and send packets in net0, the problem is you can't add a new eth1.5
in old ns, report 'error: File exists'.

>>
>> So what's the better order ?
>> I prefer 1), when a vlan dev is setup, it has a namespace, and belongs to it,
>> When somebody moves it, it should say 'hey boy, don't move me,I like here :0'
>>
>> Thanks,
>> Weilong
> -- 
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
> 

Re: [patch net-next] vlan: Don't allow vlan devices to change network namespaces.

[Michal Kubecek]

On Thu, Apr 24, 2014 at 08:59:51AM +0800, chenweilong wrote:
> On 2014/4/23 15:23, Nicolas Dichtel wrote:
> > Le 23/04/2014 04:40, chenweilong a écrit :
> >> And, 2) is not safe, if someone forgets to move eth1, eth1.5 will not work, making
> >> things complex.
> > We have to fix this case, because it is a valid use case to have eth1.5 in net0
> > and eth1 in another ns.
> > 
> eth1.5 can receive and send packets in net0, the problem is you can't add a new eth1.5
> in old ns, report 'error: File exists'.

And this is correct, as far as I can tell. If it was possible, which of
the two interfaces would receive VLAN tagged packets with VID 5 coming
to eth1?

                                                         Michal Kubecek

Re: [patch net-next] vlan: Don't allow vlan devices to change network namespaces.

[Nicolas Dichtel]

Le 24/04/2014 07:47, Michal Kubecek a écrit :
> On Thu, Apr 24, 2014 at 08:59:51AM +0800, chenweilong wrote:
>> On 2014/4/23 15:23, Nicolas Dichtel wrote:
>>> Le 23/04/2014 04:40, chenweilong a écrit :
>>>> And, 2) is not safe, if someone forgets to move eth1, eth1.5 will not work, making
>>>> things complex.
>>> We have to fix this case, because it is a valid use case to have eth1.5 in net0
>>> and eth1 in another ns.
>>>
>> eth1.5 can receive and send packets in net0, the problem is you can't add a new eth1.5
>> in old ns, report 'error: File exists'.
>
> And this is correct, as far as I can tell. If it was possible, which of
> the two interfaces would receive VLAN tagged packets with VID 5 coming
> to eth1?
I agree, this is the correct behavior.

Re: [patch net-next] vlan: Don't allow vlan devices to change network namespaces.

[chenweilong]

On 2014/4/24 13:47, Michal Kubecek wrote:
> On Thu, Apr 24, 2014 at 08:59:51AM +0800, chenweilong wrote:
>> On 2014/4/23 15:23, Nicolas Dichtel wrote:
>>> Le 23/04/2014 04:40, chenweilong a écrit :
>>>> And, 2) is not safe, if someone forgets to move eth1, eth1.5 will not work, making
>>>> things complex.
>>> We have to fix this case, because it is a valid use case to have eth1.5 in net0
>>> and eth1 in another ns.
>>>
>> eth1.5 can receive and send packets in net0, the problem is you can't add a new eth1.5
>> in old ns, report 'error: File exists'.
> 
> And this is correct, as far as I can tell. If it was possible, which of
> the two interfaces would receive VLAN tagged packets with VID 5 coming
> to eth1?
> 
>                                                          Michal Kubecek
> 
> 
> 
If eth1 and eth1.5 can work in different ns,
my fist test(move eth1 first,and then eth1.5) should be success,
but it failed, if eth1 was moved to other ns, all related vlans were unregisted.
Strangely, if I move eth1.5 to net0, then move eth1 to net0, and then
move eth1 to net1, eth1.5 is still there!
It is a bug?

I agree with you there should be one interface tagged with VID 5 in the system.
But I think the network namespaces are independent, vlan port and its VID interfaces
spread in different ns break the rule.

Thanks,

Re: [patch net-next] vlan: Don't allow vlan devices to change network namespaces.

[chenweilong]

On 2014/4/24 19:32, chenweilong wrote:
> On 2014/4/24 13:47, Michal Kubecek wrote:
>> On Thu, Apr 24, 2014 at 08:59:51AM +0800, chenweilong wrote:
>>> On 2014/4/23 15:23, Nicolas Dichtel wrote:
>>>> Le 23/04/2014 04:40, chenweilong a écrit :
>>>>> And, 2) is not safe, if someone forgets to move eth1, eth1.5 will not work, making
>>>>> things complex.
>>>> We have to fix this case, because it is a valid use case to have eth1.5 in net0
>>>> and eth1 in another ns.
>>>>
>>> eth1.5 can receive and send packets in net0, the problem is you can't add a new eth1.5
>>> in old ns, report 'error: File exists'.
>>
>> And this is correct, as far as I can tell. If it was possible, which of
>> the two interfaces would receive VLAN tagged packets with VID 5 coming
>> to eth1?
>>
>>                                                          Michal Kubecek
>>
>>
>>
> If eth1 and eth1.5 can work in different ns,
> my fist test(move eth1 first,and then eth1.5) should be success,
> but it failed, if eth1 was moved to other ns, all related vlans were unregisted.
> Strangely, if I move eth1.5 to net0, then move eth1 to net0, and then
> move eth1 to net1, eth1.5 is still there!
> It is a bug?
Find at last it's a behavior of SUSE's udevd , not the kernel.
When move eth1 to net0, udevd call /sbin/ifdown to down eth1
and then ifdown eth1.5, and then ifdown-802.1q eth1.5 and then
vconfig rem eth1.5!

Thanks everybody!
> 
> I agree with you there should be one interface tagged with VID 5 in the system.
> But I think the network namespaces are independent, vlan port and its VID interfaces
> spread in different ns break the rule.
> 
> Thanks,
> 
> 
> 
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
> 

Re: [patch net-next] vlan: Don't allow vlan devices to change network namespaces.

[Nicolas Dichtel]

Le 24/04/2014 14:41, chenweilong a écrit :
> On 2014/4/24 19:32, chenweilong wrote:
>> On 2014/4/24 13:47, Michal Kubecek wrote:
>>> On Thu, Apr 24, 2014 at 08:59:51AM +0800, chenweilong wrote:
>>>> On 2014/4/23 15:23, Nicolas Dichtel wrote:
>>>>> Le 23/04/2014 04:40, chenweilong a écrit :
>>>>>> And, 2) is not safe, if someone forgets to move eth1, eth1.5 will not work, making
>>>>>> things complex.
>>>>> We have to fix this case, because it is a valid use case to have eth1.5 in net0
>>>>> and eth1 in another ns.
>>>>>
>>>> eth1.5 can receive and send packets in net0, the problem is you can't add a new eth1.5
>>>> in old ns, report 'error: File exists'.
>>>
>>> And this is correct, as far as I can tell. If it was possible, which of
>>> the two interfaces would receive VLAN tagged packets with VID 5 coming
>>> to eth1?
>>>
>>>                                                           Michal Kubecek
>>>
>>>
>>>
>> If eth1 and eth1.5 can work in different ns,
>> my fist test(move eth1 first,and then eth1.5) should be success,
>> but it failed, if eth1 was moved to other ns, all related vlans were unregisted.
>> Strangely, if I move eth1.5 to net0, then move eth1 to net0, and then
>> move eth1 to net1, eth1.5 is still there!
>> It is a bug?
> Find at last it's a behavior of SUSE's udevd , not the kernel.
> When move eth1 to net0, udevd call /sbin/ifdown to down eth1
> and then ifdown eth1.5, and then ifdown-802.1q eth1.5 and then
> vconfig rem eth1.5!
>
> Thanks everybody!
>>
>> I agree with you there should be one interface tagged with VID 5 in the system.
>> But I think the network namespaces are independent, vlan port and its VID interfaces
>> spread in different ns break the rule.
VID are unique per interface, for example eth0 can only have one VID 5.
Even if eth1.5 stands in another netns, it is still "connected" to eth0.

I agree that network namespaces are independent, but there are mechanism to
connect them between each other or to connect these netns to a "physical"
network even if you don't have a NIC for each netns on your system. For
example, IP tunnels (ipip, sit, ip6_tunnels) allow to have encapsulation
addresses in one netns and the netdevice in another netns:

ip netns add ns1
ip netns exec ns1 ip link set lo up

ip link add ipip1 type ipip remote 10.16.0.121 local 10.16.0.249
ip link set ipip1 netns ns1
ip netns exec ns1 ip link set ipip1 up
ip netns exec ns1 ip addr add dev ipip1 192.168.2.123 remote 192.168.2.121

vlan may also provide this kind of mechanism.

Regards,
Nicolas

Re: [patch net-next] vlan: Don't allow vlan devices to change network namespaces.

[chenweilong]

On 2014/4/24 21:21, Nicolas Dichtel wrote:
> Le 24/04/2014 14:41, chenweilong a écrit :
>> On 2014/4/24 19:32, chenweilong wrote:
>>> On 2014/4/24 13:47, Michal Kubecek wrote:
>>>> On Thu, Apr 24, 2014 at 08:59:51AM +0800, chenweilong wrote:
>>>>> On 2014/4/23 15:23, Nicolas Dichtel wrote:
>>>>>> Le 23/04/2014 04:40, chenweilong a écrit :
>>>>>>> And, 2) is not safe, if someone forgets to move eth1, eth1.5 will not work, making
>>>>>>> things complex.
>>>>>> We have to fix this case, because it is a valid use case to have eth1.5 in net0
>>>>>> and eth1 in another ns.
>>>>>>
>>>>> eth1.5 can receive and send packets in net0, the problem is you can't add a new eth1.5
>>>>> in old ns, report 'error: File exists'.
>>>>
>>>> And this is correct, as far as I can tell. If it was possible, which of
>>>> the two interfaces would receive VLAN tagged packets with VID 5 coming
>>>> to eth1?
>>>>
>>>>                                                           Michal Kubecek
>>>>
>>>>
>>>>
>>> If eth1 and eth1.5 can work in different ns,
>>> my fist test(move eth1 first,and then eth1.5) should be success,
>>> but it failed, if eth1 was moved to other ns, all related vlans were unregisted.
>>> Strangely, if I move eth1.5 to net0, then move eth1 to net0, and then
>>> move eth1 to net1, eth1.5 is still there!
>>> It is a bug?
>> Find at last it's a behavior of SUSE's udevd , not the kernel.
>> When move eth1 to net0, udevd call /sbin/ifdown to down eth1
>> and then ifdown eth1.5, and then ifdown-802.1q eth1.5 and then
>> vconfig rem eth1.5!
>>
>> Thanks everybody!
>>>
>>> I agree with you there should be one interface tagged with VID 5 in the system.
>>> But I think the network namespaces are independent, vlan port and its VID interfaces
>>> spread in different ns break the rule.
> VID are unique per interface, for example eth0 can only have one VID 5.
> Even if eth1.5 stands in another netns, it is still "connected" to eth0.
> 
> I agree that network namespaces are independent, but there are mechanism to
> connect them between each other or to connect these netns to a "physical"
> network even if you don't have a NIC for each netns on your system. For
> example, IP tunnels (ipip, sit, ip6_tunnels) allow to have encapsulation
> addresses in one netns and the netdevice in another netns:
> 
> ip netns add ns1
> ip netns exec ns1 ip link set lo up
> 
> ip link add ipip1 type ipip remote 10.16.0.121 local 10.16.0.249
> ip link set ipip1 netns ns1
> ip netns exec ns1 ip link set ipip1 up
> ip netns exec ns1 ip addr add dev ipip1 192.168.2.123 remote 192.168.2.121
> 
> vlan may also provide this kind of mechanism.
> 
> Regards,
> Nicolas
> 
> 
Agree,

Thanks!