From: Corubba Smith <corubba@gmx.de>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH ulogd2] nfct: add network namespace support
Date: Wed, 12 Mar 2025 13:19:58 +0100 [thread overview]
Message-ID: <cd856fe5-2070-42c5-990f-8879d04cb731@gmx.de> (raw)
In-Reply-To: <20250312083716.GA14222@breakpoint.cc>
On 3/12/25 09:37, Florian Westphal wrote:
> Corubba Smith <corubba@gmx.de> wrote:
>> Add a new option which allows opening the netlink socket in a different
>> network namespace. This way you can run ulogd in one (management)
>> network namespace which is able to talk with your export target (e.g.
>> database or IPFIX collector), and import flows from multiple (customer)
>> network namespaces.
>
> Makes sense to me.
>
>> This commit only implements it for NFCT. I wanted to gather some
>> feedback before also implementing it for the other netlink-based
>> plugins.
>
> Does it make sense to have this configured on a per-plugin basis?
I honestly don't see the usecase for it. Enabling namespace support
depends on whether the used libc supports the required syscall, which is
the same for all plugins. But even if namespace support is compiled in
globally, you still need to activate it per plugin instance by setting
the namespace path config option. That option is not mandatory, and if
not set the plugin will behave the same as before, opening the netlink
socket in the current network namespace. So compiling in namespace
support alone does not change the runtime behaviour (or actually use the
syscall), it only does when you also explicitly use the namespace path
option on a plugin instance.
>
>> Input plugins:
>> NFLOG plugin: ${enable_nflog}
>> NFCT plugin: ${enable_nfct}
>
>> +#ifdef NETNS_SUPPORT
>> + if (strlen(target_netns_path) > 0) {
>> + errno = 0;
>> + original_netns_fd = open("/proc/self/ns/net", O_RDONLY | O_CLOEXEC);
>> + if (original_netns_fd < 0) {
>> + ulogd_log(ULOGD_FATAL, "error opening original network namespace: %s\n", strerror(errno));
>> + goto err_ons;
>> + }
>
> I think that in order to not have copypastry in all relevant plugins
> it would be better to turn code in the NETNS_SUPPORT ifdefs section
> into library helpers.
>
> The helpers would always exist; in case ulogd2 is built without
> support they would raise an error.
>
> That would also keep the ifdef out of plugin code.
Very good point, will do that. Thanks!
--
Corubba
prev parent reply other threads:[~2025-03-12 12:20 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-08 23:14 [PATCH ulogd2] nfct: add network namespace support Corubba Smith
2025-03-12 8:37 ` Florian Westphal
2025-03-12 12:19 ` Corubba Smith [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cd856fe5-2070-42c5-990f-8879d04cb731@gmx.de \
--to=corubba@gmx.de \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).