| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CACP96tSF=3ogg+Gv6GiOuUxF=kL_6FE0f_P1Efcg7-RKWs++yA@mail.gmail.com> Date: Tue, 13 May 2014 11:38:14 -0400 From: sowmini varadhan <sowmini05@...il.com> To: Lorenzo Colitti <lorenzo@...gle.com> Cc: netdev <netdev@...r.kernel.org>, JP Abgrall <jpa@...gle.com>, David Miller <davem@...emloft.net>, Julian Anastasov <ja@....bg>, Hannes Frederic Sowa <hannes@...essinduktion.org> Subject: Re: [PATCH 0/3] Make mark-based routing work better with multiple separate networks. On Tue, May 13, 2014 at 11:28 AM, Lorenzo Colitti <lorenzo@...gle.com> wrote: > You can't use macvlan if you're not using interfaces that don't have > MAC addresses such as tun devices, 4G interfaces, and so on. So to repeat, "what problem do you need to solve?" You indicated that " As described in the patch cover letter, one of the things I'm trying to do is have fwmarks select between multiple separate networks, which may be on multiple physical interfaces. I also want applications to be able to listen for connections from all networks using a single listening socket. I don't care about network isolation." To do that, you just have to bind() the under-socket to the desired address, no need for macvlans etc. You'd only need macvlans to solve the rest of the problems in your list, such as getting ping to work right, which involves network isolation, aka vrf. (fwiw, the ping etc will JustWork with network-namespaces) > IMO forcing an application to open one socket per namespace, and > constantly be listening for any namespace changes as networks come and > go, is an unreasonable burden when all the application wants to do is your typical network app is going to have to open a netlink socket and listen for state changes (intf events, address events etc) anyway. And once you receive a packet on your wildcard socket, I suspect that youi need to do some extra work anyway to figure out which vrf/netns/sock-mark/whatever it came in on. But note that I'm not averse to optimizing some of this- it just seems odd to me that you have vrfs-with-namespaces, not-quite-vrfs-with-sock-marks, multiple-routing-tables-for-pbr-but-we-are-not-vrfs etc. ymmv. --Sowmini -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists