lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 28 Oct 2008 18:35:56 +0100
From:	Vivien Chappelier <vivien.chappelier@...mson.net>
To:	netdev <netdev@...r.kernel.org>
CC:	David Miller <davem@...emloft.net>,
	Benjamin Thery <benjamin.thery@...l.net>, jleu@...dspring.com,
	linux-vrf-general@...ts.sourceforge.net
Subject: [PATCH 0/6] netns: port linux-vrf features to network namespaces

Hi,

    The recently introduced network namespaces allow separate standalone 
network stacks to coexist on the same machine. This is a very useful 
functionality that we have been using in our products for some time, 
through the VRF patchset (http://linux-vrf.sourceforge.net/). The goal 
of the VRF patchset and network namespaces are very similar, yet some 
features of the VRF are missing that these patches intend to provide.

    The network namespaces are currently tied to a process, and 
referenced by its pid. However, a networking stack has no particular 
reason to be associated with any process and it should be possible to 
use and setup additional networking stacks without the need to clone() 
or unshare(). The initial version of the "Coexist with the sysfs 
limitations" patches by Benjamin Thery introduced the notion of a unique 
network namespace identifier (nsid)  that is perfectly fit for the 
purpose of referencing networking stacks independently of any process. 
The first two patches of his set are therefore reused here to identify 
networking stacks.

    These patches additionally introduce the following features that 
were initially provided by the VRF patchset:
- the ability to move a socket to a different network namespace, through 
the new SO_NSID setsockopt(), given the nsid
- the ability to move a process to an existing network namespace, 
through the new SO_NETNS setsockopt(), given the nsid
- the ability to move an interface to a different namespace by nsid 
instead of pid
- the ability to create additional network namespaces on startup 
(dynamic addition/deletion is not supported but should be easy to add)

   To test those features, the chvrf tools attached in this mail have 
been ported to the new setsockopt() API. Example usage:

$ chnetns 1 /bin/sh   # This will attach a shell to existing network 
namespace 1

$ port -n 1 -p 3434   # This will open a listening socket on port 3434 
of network namespace 1

   Also attached is a patch to iproute2 to add the ability to move an 
interface to a different namespace by nsid, used this way:

$ ip link set eth0 nsid 1    # This will move eth0 to network namespace 1

   The patches should apply cleanly to the net-next-2.6 git tree, 
version 2.6.28-rc2, at commit 3891845e1ef6e6807075d4241966b26f6ecb0a5c.

   I would be glad to have your impression and comments on these 
patches, and to have them merged upstream once everybody is satisfied 
with them.

regards,
Vivien Chappelier.


Download attachment "chnetns.tar.gz" of type "application/x-gzip" (1553 bytes)

View attachment "iproute2.patch" of type "text/x-diff" (2453 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ