From: Florian LAUNAY <launayflorian@gmail.com>
To: Christian Brauner <christian@brauner.io>,
davem@davemloft.net, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org,
coreteam@netfilter.org, bridge@lists.linux-foundation.org
Cc: tyhicks@canonical.com, pablo@netfilter.org,
kadlec@blackhole.kfki.hu, fw@strlen.de,
roopa@cumulusnetworks.com, nikolay@cumulusnetworks.com
Subject: Re: [PATCH net-next 0/2] br_netfilter: enable in non-initial netns
Date: Thu, 7 Mar 2019 15:58:09 +0100 [thread overview]
Message-ID: <aca5e0b4-7c2a-4bd5-41ba-9a6ac965b9c6@gmail.com> (raw)
In-Reply-To: <20181107134859.19896-1-christian@brauner.io>
Hi everyone,
Can someone help move this topic forward ?
This issue simply prevents any advanced use of docker in LXC.
Thank you in advance!
Florian LAUNAY
On 07/11/2018 14:48, Christian Brauner wrote:
> Hey everyone,
>
> Over time I have seen multiple reports by users who want to run applications
> (Kubernetes e.g. via [1]) that require the br_netfilter module in
> non-initial network namespaces [2], [3], [4], [5] (There are more issues
> where this requirement is reported.).
> Currently, the /proc/sys/net/bridge folder is only created in the
> initial network namespace. This patch series ensures that the
> /proc/sys/net/bridge folder is available in each network namespace if
> the module is loaded and disappears from all network namespaces when the
> module is unloaded.
> The patch series also makes the sysctls:
>
> bridge-nf-call-arptables
> bridge-nf-call-ip6tables
> bridge-nf-call-iptables
> bridge-nf-filter-pppoe-tagged
> bridge-nf-filter-vlan-tagged
> bridge-nf-pass-vlan-input-dev
>
> apply per network namespace. This unblocks some use-cases where users
> would like to e.g. not do bridge filtering for bridges in a specific
> network namespace while doing so for bridges located in another network
> namespace.
> The netfilter rules are afaict already per network namespace so it
> should be safe for users to specify whether a bridge device inside their
> network namespace is supposed to go through iptables et al. or not.
> Also, this can already be done by setting an option for each individual
> bridge via Netlink. It should also be possible to do this for all
> bridges in a network namespace via sysctls.
>
> Thanks!
> Christian
>
> [1]: https://github.com/zimmertr/Bootstrap-Kubernetes-with-Ansible
> [2]: https://github.com/lxc/lxd/issues/5193
> [3]: https://discuss.linuxcontainers.org/t/bridge-nf-call-iptables-and-swap-error-on-lxd-with-kubeadm/2204
> [4]: https://github.com/lxc/lxd/issues/3306
> [5]: https://gitlab.com/gitlab-org/gitlab-runner/issues/3705
>
> Christian Brauner (2):
> br_netfilter: add struct netns_brnf
> br_netfilter: namespace bridge netfilter sysctls
>
> include/net/net_namespace.h | 3 +
> include/net/netfilter/br_netfilter.h | 3 +-
> include/net/netns/netfilter.h | 16 +++
> net/bridge/br_netfilter_hooks.c | 166 ++++++++++++++++++---------
> net/bridge/br_netfilter_ipv6.c | 2 +-
> 5 files changed, 134 insertions(+), 56 deletions(-)
>
prev parent reply other threads:[~2019-03-07 14:58 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-07 13:48 [PATCH net-next 0/2] br_netfilter: enable in non-initial netns Christian Brauner
2018-11-07 13:48 ` [PATCH net-next 1/2] br_netfilter: add struct netns_brnf Christian Brauner
2018-11-27 0:20 ` Pablo Neira Ayuso
2018-11-27 2:20 ` Christian Brauner
2018-11-27 8:23 ` Pablo Neira Ayuso
2018-11-27 10:19 ` Christian Brauner
2018-12-13 11:43 ` Christian Brauner
2018-11-07 13:48 ` [PATCH net-next 2/2] br_netfilter: namespace bridge netfilter sysctls Christian Brauner
2019-03-07 14:58 ` Florian LAUNAY [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aca5e0b4-7c2a-4bd5-41ba-9a6ac965b9c6@gmail.com \
--to=launayflorian@gmail.com \
--cc=bridge@lists.linux-foundation.org \
--cc=christian@brauner.io \
--cc=coreteam@netfilter.org \
--cc=davem@davemloft.net \
--cc=fw@strlen.de \
--cc=kadlec@blackhole.kfki.hu \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=nikolay@cumulusnetworks.com \
--cc=pablo@netfilter.org \
--cc=roopa@cumulusnetworks.com \
--cc=tyhicks@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).