| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 7 Mar 2019 15:58:09 +0100
From: Florian LAUNAY <launayflorian@...il.com>
To: Christian Brauner <christian@...uner.io>, davem@...emloft.net,
netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
netfilter-devel@...r.kernel.org, coreteam@...filter.org,
bridge@...ts.linux-foundation.org
Cc: tyhicks@...onical.com, pablo@...filter.org,
kadlec@...ckhole.kfki.hu, fw@...len.de, roopa@...ulusnetworks.com,
nikolay@...ulusnetworks.com
Subject: Re: [PATCH net-next 0/2] br_netfilter: enable in non-initial netns
Hi everyone,
Can someone help move this topic forward ?
This issue simply prevents any advanced use of docker in LXC.
Thank you in advance!
Florian LAUNAY
On 07/11/2018 14:48, Christian Brauner wrote:
> Hey everyone,
>
> Over time I have seen multiple reports by users who want to run applications
> (Kubernetes e.g. via [1]) that require the br_netfilter module in
> non-initial network namespaces [2], [3], [4], [5] (There are more issues
> where this requirement is reported.).
> Currently, the /proc/sys/net/bridge folder is only created in the
> initial network namespace. This patch series ensures that the
> /proc/sys/net/bridge folder is available in each network namespace if
> the module is loaded and disappears from all network namespaces when the
> module is unloaded.
> The patch series also makes the sysctls:
>
> bridge-nf-call-arptables
> bridge-nf-call-ip6tables
> bridge-nf-call-iptables
> bridge-nf-filter-pppoe-tagged
> bridge-nf-filter-vlan-tagged
> bridge-nf-pass-vlan-input-dev
>
> apply per network namespace. This unblocks some use-cases where users
> would like to e.g. not do bridge filtering for bridges in a specific
> network namespace while doing so for bridges located in another network
> namespace.
> The netfilter rules are afaict already per network namespace so it
> should be safe for users to specify whether a bridge device inside their
> network namespace is supposed to go through iptables et al. or not.
> Also, this can already be done by setting an option for each individual
> bridge via Netlink. It should also be possible to do this for all
> bridges in a network namespace via sysctls.
>
> Thanks!
> Christian
>
> [1]: https://github.com/zimmertr/Bootstrap-Kubernetes-with-Ansible
> [2]: https://github.com/lxc/lxd/issues/5193
> [3]: https://discuss.linuxcontainers.org/t/bridge-nf-call-iptables-and-swap-error-on-lxd-with-kubeadm/2204
> [4]: https://github.com/lxc/lxd/issues/3306
> [5]: https://gitlab.com/gitlab-org/gitlab-runner/issues/3705
>
> Christian Brauner (2):
> br_netfilter: add struct netns_brnf
> br_netfilter: namespace bridge netfilter sysctls
>
> include/net/net_namespace.h | 3 +
> include/net/netfilter/br_netfilter.h | 3 +-
> include/net/netns/netfilter.h | 16 +++
> net/bridge/br_netfilter_hooks.c | 166 ++++++++++++++++++---------
> net/bridge/br_netfilter_ipv6.c | 2 +-
> 5 files changed, 134 insertions(+), 56 deletions(-)
>
Powered by blists - more mailing lists