lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 12 Dec 2012 19:39:57 +0100 From: Nicolas Dichtel <nicolas.dichtel@...nd.com> To: netdev@...r.kernel.org Cc: davem@...emloft.net, ebiederm@...ssion.com, aatteka@...ira.com Subject: Re: [RFC PATCH net-next 0/5] Ease netns management for userland 2012/12/12 Nicolas Dichtel <nicolas.dichtel@...nd.com>: > The goal of this serie is to ease netns management by daemons. Some systems use > netns only to virtualize network stack and don't want to multiply userland > daemons. These system may have a lot of netns, up to 2000. We don't want to > launch an instance of each daemons (quagga, strongswan, conntrackd, ...) for > each netns because it will consume a lot of ressources. Having one daemon that > manage all netns is more efficient (mainly if there are few objects to manage: > one or two routes per netns for example). > Hence, one goal of this serie is to allow, for a daemon, to monitor netns > activities, thus it can open or close netlink sockets, allocating structures > needed to manage these netns when they are created or deleted. > To help to identify a netns, an index has been added to each netns. > > A new setsockopt() option is also added, to help daemons to open socket in the > right netns. For now, a daemon that want to open a socket in a specified netns, > need to call setns(CLONE_NEWNET) with a fd (not so easy to found), open the > socket and then call again setns() to go back in the initial netns. Having this > kind of setsockopt() will simplify operations. Obviously, this setsockopt() > should be done enough early (is test on sk_state enough?). The first target is > netlink socket but it can be useful for other kind of socket, it's why a add a > generic socket option. > > As usual, the patch against iproute2 will be sent once the patches are included > and net-next merged. I can send it on demand. > > arch/alpha/include/asm/socket.h | 2 + > arch/avr32/include/uapi/asm/socket.h | 2 + > arch/frv/include/uapi/asm/socket.h | 2 + > arch/h8300/include/asm/socket.h | 2 + > arch/ia64/include/uapi/asm/socket.h | 2 + > arch/m32r/include/asm/socket.h | 2 + > arch/m68k/include/uapi/asm/socket.h | 2 + > arch/mips/include/uapi/asm/socket.h | 2 + > arch/mn10300/include/uapi/asm/socket.h | 2 + > arch/parisc/include/uapi/asm/socket.h | 2 + > arch/powerpc/include/uapi/asm/socket.h | 2 + > arch/s390/include/uapi/asm/socket.h | 2 + > arch/sparc/include/uapi/asm/socket.h | 2 + > arch/xtensa/include/uapi/asm/socket.h | 2 + > include/net/net_namespace.h | 3 + > include/uapi/asm-generic/socket.h | 2 + > include/uapi/linux/if_link.h | 1 + > include/uapi/linux/netns.h | 31 +++++ > net/core/net_namespace.c | 223 +++++++++++++++++++++++++++++++++ > net/core/rtnetlink.c | 7 +- > net/core/sock.c | 28 +++++ > net/netlink/genetlink.c | 4 + > 22 files changed, 326 insertions(+), 1 deletion(-) > > I do not pretend to be a netns expert, it's why I add RFC in the title ;-) > > Comments are welcome. Sorry for the double send, it's a wrong manip! -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists