From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
To: Ilya Maximets <i.maximets@ovn.org>, netdev@vger.kernel.org
Cc: "David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Simon Horman <horms@kernel.org>,
Donald Hunter <donald.hunter@gmail.com>,
Shuah Khan <shuah@kernel.org>,
Kuniyuki Iwashima <kuniyu@google.com>,
Kees Cook <kees@kernel.org>, Adrian Moreno <amorenoz@redhat.com>,
Jiri Benc <jbenc@redhat.com>,
linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org,
Matteo Perin <matteo.perin@canonical.com>
Subject: Re: [PATCH net v2 2/4] net: netlink: don't set nsid on local notifications
Date: Thu, 21 May 2026 14:36:12 +0200 [thread overview]
Message-ID: <bd9c0751-55ea-459e-8b22-8bd24abf235c@6wind.com> (raw)
In-Reply-To: <20260520172317.175168-3-i.maximets@ovn.org>
Le 20/05/2026 à 19:22, Ilya Maximets a écrit :
> In most cases, notifications on sockets with NETLINK_LISTEN_ALL_NSID
> do not contain NSID in their ancillary data in case the event is local
> to the listener.
>
> However, when a self-referential NSID is allocated for a namespace,
> every local notification starts sending this ID to the user space.
>
> This is problematic, because the listener cannot tell if those
> notifications are local or not anymore without making extra requests
> to figure out if the provided NSID is local or not. The listener
> can also not figure out the local NSID beforehand as it can be
> allocated at any point in time by other processes, changing the
> structure of the future notifications for everyone.
I don't understand the use of NETLINK_LISTEN_ALL_NSID without being able to
associate an nsid with a netns.
>
> The value is practically not useful, since it's the namespace's own
> ID that the application has to obtain from other sources in order to
> figure out if it's the same or not. So, for the application it's
> just an extra busy work with no benefits. Moreover, applications
> that do not know about this quirk may be mishandling notifications
> with NSID set as notifications from remote namespaces. This is the
> case for ovs-vswitchd and the iproute2's 'ip monitor' that stops
> printing 'current' and starts printing the nsid number mid-session.
Why does ovs-vswitchd use NETLINK_LISTEN_ALL_NSID if it isn't able to do the
nsis <-> netns association? How are used nl msg with an nsid?
>
> Lack of clear documentation for this behavior is also not helping.
>
> A search though open-source projects doesn't reveal any projects
> that use NETNSA_NSID_NOT_ASSIGNED and rely on metadata to contain
> self-referential NSIDs (expected, since the value is not useful).
> Quite the opposite, as already mentioned, there are few applications
> that rely on NSID to not be present in local events.
>
> Since the value is not useful and actively harmful in some cases,
> let's not report it for local events, making the notifications more
> consistent.
I still don't think that this is the right "fix". The app is broken. Even after
this patch, the bug could be easily triggered again by a third party.
There is nothing wrong with assigning a self-nsid. It would be a lot more robust
for the app to assign itself a self-nsid when it starts.
Regards,
Nicolas
next prev parent reply other threads:[~2026-05-21 12:36 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-20 17:22 [PATCH net v2 0/4] netlink: fixes for cross-namespace nsid reporting Ilya Maximets
2026-05-20 17:22 ` [PATCH net v2 1/4] net: netlink: fix sending unassigned nsid after assigned one Ilya Maximets
2026-05-21 12:34 ` Nicolas Dichtel
2026-05-20 17:22 ` [PATCH net v2 2/4] net: netlink: don't set nsid on local notifications Ilya Maximets
2026-05-21 12:36 ` Nicolas Dichtel [this message]
2026-05-21 14:00 ` Jiri Benc
2026-05-21 14:25 ` Nicolas Dichtel
2026-05-21 16:01 ` Ilya Maximets
2026-05-20 17:22 ` [PATCH net v2 3/4] tools: ynl: support listening on all nsids Ilya Maximets
2026-05-20 17:22 ` [PATCH net v2 4/4] selftests: net: add a test case for nsid in all nsid notifications Ilya Maximets
2026-05-21 15:23 ` [PATCH net v2 0/4] netlink: fixes for cross-namespace nsid reporting Jakub Kicinski
2026-05-21 15:50 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bd9c0751-55ea-459e-8b22-8bd24abf235c@6wind.com \
--to=nicolas.dichtel@6wind.com \
--cc=amorenoz@redhat.com \
--cc=davem@davemloft.net \
--cc=donald.hunter@gmail.com \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=i.maximets@ovn.org \
--cc=jbenc@redhat.com \
--cc=kees@kernel.org \
--cc=kuba@kernel.org \
--cc=kuniyu@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=matteo.perin@canonical.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=shuah@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox