lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <aca5e0b4-7c2a-4bd5-41ba-9a6ac965b9c6@gmail.com>
Date:   Thu, 7 Mar 2019 15:58:09 +0100
From:   Florian LAUNAY <launayflorian@...il.com>
To:     Christian Brauner <christian@...uner.io>, davem@...emloft.net,
        netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
        netfilter-devel@...r.kernel.org, coreteam@...filter.org,
        bridge@...ts.linux-foundation.org
Cc:     tyhicks@...onical.com, pablo@...filter.org,
        kadlec@...ckhole.kfki.hu, fw@...len.de, roopa@...ulusnetworks.com,
        nikolay@...ulusnetworks.com
Subject: Re: [PATCH net-next 0/2] br_netfilter: enable in non-initial netns

Hi everyone,

Can someone help move this topic forward ?
This issue simply prevents any advanced use of docker in LXC.

Thank you in advance!
Florian LAUNAY

On 07/11/2018 14:48, Christian Brauner wrote:
> Hey everyone,
> 
> Over time I have seen multiple reports by users who want to run applications
> (Kubernetes e.g. via [1]) that require the br_netfilter module in
> non-initial network namespaces [2], [3], [4], [5] (There are more issues
> where this requirement is reported.).
> Currently, the /proc/sys/net/bridge folder is only created in the
> initial network namespace. This patch series ensures that the
> /proc/sys/net/bridge folder is available in each network namespace if
> the module is loaded and disappears from all network namespaces when the
> module is unloaded.
> The patch series also makes the sysctls:
> 
> bridge-nf-call-arptables
> bridge-nf-call-ip6tables
> bridge-nf-call-iptables
> bridge-nf-filter-pppoe-tagged
> bridge-nf-filter-vlan-tagged
> bridge-nf-pass-vlan-input-dev
> 
> apply per network namespace. This unblocks some use-cases where users
> would like to e.g. not do bridge filtering for bridges in a specific
> network namespace while doing so for bridges located in another network
> namespace.
> The netfilter rules are afaict already per network namespace so it
> should be safe for users to specify whether a bridge device inside their
> network namespace is supposed to go through iptables et al. or not.
> Also, this can already be done by setting an option for each individual
> bridge via Netlink. It should also be possible to do this for all
> bridges in a network namespace via sysctls.
> 
> Thanks!
> Christian
> 
> [1]: https://github.com/zimmertr/Bootstrap-Kubernetes-with-Ansible
> [2]: https://github.com/lxc/lxd/issues/5193
> [3]: https://discuss.linuxcontainers.org/t/bridge-nf-call-iptables-and-swap-error-on-lxd-with-kubeadm/2204
> [4]: https://github.com/lxc/lxd/issues/3306
> [5]: https://gitlab.com/gitlab-org/gitlab-runner/issues/3705
> 
> Christian Brauner (2):
>    br_netfilter: add struct netns_brnf
>    br_netfilter: namespace bridge netfilter sysctls
> 
>   include/net/net_namespace.h          |   3 +
>   include/net/netfilter/br_netfilter.h |   3 +-
>   include/net/netns/netfilter.h        |  16 +++
>   net/bridge/br_netfilter_hooks.c      | 166 ++++++++++++++++++---------
>   net/bridge/br_netfilter_ipv6.c       |   2 +-
>   5 files changed, 134 insertions(+), 56 deletions(-)
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ