lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 13 May 2014 11:38:14 -0400
From:	sowmini varadhan <sowmini05@...il.com>
To:	Lorenzo Colitti <lorenzo@...gle.com>
Cc:	netdev <netdev@...r.kernel.org>, JP Abgrall <jpa@...gle.com>,
	David Miller <davem@...emloft.net>,
	Julian Anastasov <ja@....bg>,
	Hannes Frederic Sowa <hannes@...essinduktion.org>
Subject: Re: [PATCH 0/3] Make mark-based routing work better with multiple
 separate networks.

On Tue, May 13, 2014 at 11:28 AM, Lorenzo Colitti <lorenzo@...gle.com> wrote:

> You can't use macvlan if you're not using interfaces that don't have
> MAC addresses such as tun devices, 4G interfaces, and so on.

So to repeat, "what problem do you need to solve?" You indicated
that
" As described in the patch cover letter, one of the things I'm trying
  to do is have fwmarks select between multiple separate networks, which
  may be on multiple physical interfaces. I also want applications to be
  able to listen for connections from all networks using a single
  listening socket. I don't care about network isolation."

To do that, you just have to bind() the under-socket to the desired address,
no need for macvlans etc.

You'd only need macvlans to solve the rest of the problems in your
list, such as getting ping to work right, which involves network isolation,
aka vrf. (fwiw, the ping etc will JustWork with network-namespaces)


> IMO forcing an application to open one socket per namespace, and
> constantly be listening for any namespace changes as networks come and
> go, is an unreasonable burden when all the application wants to do is

your typical network app is going to have to open a netlink socket
and listen for state changes (intf events, address events etc) anyway.
And once you receive a packet on your wildcard socket, I suspect that
youi need to do some extra work anyway to figure out which
vrf/netns/sock-mark/whatever it came in on.

But note that I'm not averse to optimizing some of this- it just
seems odd to me that you have vrfs-with-namespaces,
not-quite-vrfs-with-sock-marks,
multiple-routing-tables-for-pbr-but-we-are-not-vrfs etc.

ymmv.

--Sowmini
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ