lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Thu, 02 Oct 2008 12:00:33 +0200
From:	Patrick McHardy <kaber@...sh.net>
To:	Alexey Dobriyan <adobriyan@...il.com>
CC:	netdev@...r.kernel.org, netfilter-devel@...r.kernel.org,
	containers@...ts.linux-foundation.org
Subject: Re: [PATCH 33/33] Enable netfilter in netns

Alexey Dobriyan wrote:
> On Thu, Oct 02, 2008 at 11:12:08AM +0200, Patrick McHardy wrote:
>   
>> Is there an easy way to test all this stuff?
>>     
>
> I used the following:
>
> 0) netns is currently mutually exclusive with sysfs, so depending on
>    sanity of distro initscripts booting sysfs-less kernel can be tricky.
>
>    In Gentoo, for example a) rm -rf /sys (sic!), b) RC_USE_FSTAB="yes",
>    c) RC_DEVICES="static" in /etc/conf.d/rc are needed.
>
> 1) netns creation tool (attached, some container guy posted it somewhere)
>
> 	# ns_exec -n /bin/sh
>
> 2) shutdown network in init_net
>
> 	sudo /etc/init.d/ntpd stop
> 	sudo /etc/init.d/sshd stop
> 	sudo /etc/init.d/iptables stop
> 	sudo /etc/init.d/ip6tables stop
> 	sudo /etc/init.d/net.eth1 stop
> 	sudo /etc/init.d/net.eth0 stop
>
> 3) move netdevices to netns
>
> 	ip l s dev eth0 netns "$1"
> 	ip l s dev eth1 netns "$1"
>
> 	where $1 is PID of shell from 1)
>
> 4) in netns start everything back
>
> 	sudo /etc/init.d/net.eth0 start
> 	sudo /etc/init.d/net.eth1 start
> 	sudo /etc/init.d/iptables start
> 	sudo /etc/init.d/ip6tables start
> 	sudo /etc/init.d/sshd start
> 	sudo /etc/init.d/ntpd start
>
> 5) at this point my usual NAT setup is back working for me and everything should
>    be like in init_net (modulo aforementioned exceptions) and
>    independent from init_net.
>
> Leaked netns are in /proc/slabinfo under "net_namespace".
>
> Some IPv6 printks can be annoying, so mute them.
>
> Object poisoning with SLUB won't work for irrelevant reasons, so use SLAB.
>
> Something like that.
>   

Thanks, I'll give it a try.

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ