From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Ansis Atteka <aatteka@nicira.com>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [RFC] Multi-namespace support (Request for comments)
Date: Mon, 15 Oct 2012 00:05:28 +0200 [thread overview]
Message-ID: <20121014220528.GA1432@1984> (raw)
In-Reply-To: <1350184376-7957-1-git-send-email-aatteka@nicira.com>
On Sat, Oct 13, 2012 at 08:12:56PM -0700, Ansis Atteka wrote:
> This patch should not be considered complete! It was sent out with intention
> to propose feature and receive further comments.
>
> It enables single conntrackd process to synchronize state among multiple
> namespaces. To test this patch apply it on the top of this one:
>
> http://markmail.org/thread/npxklk4p6g4y3rup
>
> And use following conntrackd.conf on both hosts:
>
> Sync {
> Mode NOTRACK {
> DisableInternalCache On
> DisableExternalCache On
> }
> UDP {
> IPv4_Destination_Address <host[1|2]>
> Interface breth0
> SndSocketBuffer 1249280
> Checksum on
> Port 3781
> }
> }
> General {
> Nice -20
> LogFile on
> LockFile /var/lock/conntrack.lock
> UNIX {
> Path /var/run/conntrackd.ctl
> Backlog 20
> }
> NetlinkBufferSize 2097152
> NetlinkBufferSizeMaxGrowth 8388608
> }
>
> The configuration above is used as template when instantiating
> the actual configuration for every namespace. Use following
> commands to do that:
>
> host1: conntrackd -A namespace1 /var/run/netns/namespace1
> host1: conntrackd -A namespace2 /var/run/netns/namespace2
> host2: conntrackd -A namespace1 /var/run/netns/namespace1
> host2: conntrackd -A namespace2 /var/run/netns/namespace2
>
> The first argument is the namespace identifier and second
> is the path to the actual namespace mount point.
>
> This patch doesn't work correctly yet with:
> 1. caches
> 2. FTFW or ALARM modes
> 3. filters (it seems a little bit tricky to unglobalize it)
> 4. expectations
> 5. and it even breaks the current conntrackd usage (it does
> not create state object for the current namespace)
>
> Currently I am protoyping another patch that will allow
> to synchronize different namespace subsets between more
> than two hosts (i.e. each ns_state will reference the
> right multichannel structure and use it).
This is a large changeset but seems reasonable if you put care on it,
and that will require several rounds of comments.
I have dedicated a lot of time to stabilize this software. If you want
me to take this feature, you'll have to put *a lot* of care on the
patches, really.
BTW, better split this in some patch stack. First small patches for
little changes you require to prepare the ground for your feature.
Then, the last patch should be your new feature.
Check tools like stgit to work with stack of patches in case you are
not familiar with.
prev parent reply other threads:[~2012-10-14 22:05 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-10-14 3:12 [RFC] Multi-namespace support (Request for comments) Ansis Atteka
2012-10-14 22:05 ` Pablo Neira Ayuso [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121014220528.GA1432@1984 \
--to=pablo@netfilter.org \
--cc=aatteka@nicira.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).