| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 12 Dec 2012 13:11:02 -0800 From: ebiederm@...ssion.com (Eric W. Biederman) To: nicolas.dichtel@...nd.com Cc: netdev@...r.kernel.org, davem@...emloft.net, aatteka@...ira.com Subject: Re: [RFC PATCH net-next 0/5] Ease netns management for userland Nicolas Dichtel <nicolas.dichtel@...nd.com> writes: > Le 12/12/2012 20:25, Eric W. Biederman a écrit : >> Short answer you don't need to do any of this. >> >> setns with the namespace files in /proc/<pid>/ns/net gives you more than >> enough mechanism to solve this problem. And iprout2 already supports >> all of this. >> >> And your approach creates very serious maintenances problems to the >> point I don't even want to read your patches. What namespace do your >> namespace id's live in? >> >> A socketopt to change the namespace of a socket is nasty because sockets >> changing which network namespace they are in, leads to races which >> aren't worth thinking about writing the code to handle. >> >> Longer answer. >> >> You can bind mount the namespace id's /proc/<pid>/ns/net files to >> give you any name you want. This puts naming policy in userspace >> control, and nests just fine. >> >> You can open a socket in any network namespace you want just >> by calling setns before socket. Wrapping this idiom in a library call >> or if there is sufficient need in a socketat system call seems >> reasonable. > Yes, I agree that this SO_NETNS may be a bad idea. > >> >> There is a classic question of if two network namespace files refer to >> the same network namespace and I have code in linux-next and my pull >> request to Linus to give those files a unique inode number. > Interesseting to know that. > >> >> So please use the facilities already merged into the kernel. > Ok, but how can a daemon get the list of netns? Suppose that we want that > quagga manage all netns, how can it get this list to open needed netlink > socket? > > For example, iproute2 is only aware of netns created with iproute2, but it > will no detect other netns. iproute2 is only aware of network namespaces created with the convention that iproute2 uses. If you want other network namespaces to be visible globally use the same or a similar convention. All iproute2 does is "mount --bind /proc/<pid>/ns/net /var/run/netns/<name>". So this convention is not hard to follow. It is very wrong to presume that without context you know the reason for the exsitence of any network namespace and that you should or even that you can manage it. Think of running your multi-network namespace managing application in a container. Eric -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists