| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CACGkMEtTgmFVDU+ftDKEvy31JkV9zLLUv25LrEPKQyzgKiQGSQ@mail.gmail.com> Date: Wed, 5 Mar 2025 13:46:54 +0800 From: Jason Wang <jasowang@...hat.com> To: Bobby Eshleman <bobbyeshleman@...il.com> Cc: Stefano Garzarella <sgarzare@...hat.com>, davem@...emloft.net, Stefan Hajnoczi <stefanha@...hat.com>, "Michael S. Tsirkin" <mst@...hat.com>, linux-kernel@...r.kernel.org, Jorgen Hansen <jhansen@...are.com>, kvm@...r.kernel.org, virtualization@...ts.linux-foundation.org, linux-hyperv@...r.kernel.org, Dexuan Cui <decui@...rosoft.com>, netdev@...r.kernel.org, Jakub Kicinski <kuba@...nel.org> Subject: Re: [PATCH net-next 0/3] vsock: support network namespace On Wed, Mar 5, 2025 at 8:39 AM Bobby Eshleman <bobbyeshleman@...il.com> wrote: > > On Tue, Apr 28, 2020 at 06:00:52PM +0200, Stefano Garzarella wrote: > > On Tue, Apr 28, 2020 at 04:13:22PM +0800, Jason Wang wrote: > > > > > > > > > As we've discussed, it should be a netdev probably in either guest or host > > > side. And it would be much simpler if we want do implement namespace then. > > > No new API is needed. > > > > > > > Thanks Jason! > > > > It would be cool, but I don't have much experience on netdev. > > Do you see any particular obstacles? > > > > I'll take a look to understand how to do it, surely in the guest would > > be very useful to have the vsock device as a netdev and maybe also in the host. > > > > WRT netdev, do we foresee big gains beyond just leveraging the netdev's > namespace? It's a leverage of the network subsystem (netdevice, steering, uAPI, tracing, probably a lot of others), not only its namespace. It can avoid duplicating existing mechanisms in a vsock specific way. If we manage to do that, namespace support will be a "byproduct". > > IIUC, the idea is that we could follow the tcp/ip model and introduce > vsock-supported netdevs. This would allow us to have a netdev associated > with the virtio-vsock device and create virtual netdev pairs (i.e., > veth) that can bridge namespaces. Then, allocate CIDs or configure port > mappings for those namespaces? Probably. > > I think it might be a lot of complexity to bring into the picture from > netdev, and I'm not sure there is a big win since the vsock device could > also have a vsock->net itself? Yes, it can. I think we need to evaluate both approaches (that's why I raise the approach of reusing netdevice). We can hear from others. > I think the complexity will come from the > address translation, which I don't think netdev buys us because there > would still be all of the work work to support vsock in netfilter? Netfilter should not work as vsock will behave as a separate protocol other than TCP/IP (e.g ETH_P_VSOCK) if we try to implement netdevice. > > Some other thoughts I had: netdev's flow control features would all have > to be ignored or disabled somehow (I think dev_direct_xmit()?), because > queueing introduces packet loss and the vsock protocol is unable to > survive packet loss. Or just allow it and then configuring a qdisc that may drop packets could be treated as a misconfiguration. > Netfilter's ability to drop packets would have to > be disabled too. > > Best, > Bobby > Thanks
Powered by blists - more mailing lists