| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <55631F22.90903@6wind.com> Date: Mon, 25 May 2015 15:09:54 +0200 From: Nicolas Dichtel <nicolas.dichtel@...nd.com> To: Alexander Holler <holler@...oftware.de> CC: "Eric W. Biederman" <ebiederm@...ssion.com>, netdev@...r.kernel.org, tgraf@...g.ch, davem@...emloft.net Subject: Re: [PATCH net-next v2 0/7] netns: ease netlink use with a lot of netns Le 25/05/2015 12:55, Alexander Holler a écrit : > Am 25.05.2015 um 09:45 schrieb Nicolas Dichtel: >> Le 22/05/2015 22:50, Alexander Holler a écrit : > >>> First I think if NETLINK_LISTEN_ALL_NSID is enabled, a dump >>> of the interfaces through RTM_GETLINK together with NLM_F_DUMP and >>> NLM_F_REQUEST should return all interfaces of all reachable namespaces. >> This option is only for 'listening', ie spontaneous notifications from the >> kernel. It does nothing for request. > > The problem is that you need informations about the affected interfaces. E.g. if > you receive an NEWADDR or NEWROUTE for some interface (indicated by the index of > the interface) in a(nother) namespace, how do you get informations about that > interface, if not by a dump which includes the interfaces of these namespaces > too? Without knowledge about the interface, these messages are not very usable. ;) Yes, this is the right things. Usually, a daemon opens a socket to listen netlink event. Then, it opens another netlink socket to dump the configuration (interfaces, addresses, routes, etc.) and fill its internal structures. Starting from that point, for most of configuration parameters, it doesn't need anymore to do dumps and thus it can close the second socket. This allows your daemon to have only one socket to monitor a set a netns. Look at iproute for example, it starts by dumping all interfaces before executing the specified command. > >> Not sure to follow you. veth0 sits in the current netns (let's say >> init_net) >> and veth1 in netns1. >> So, when you dump veth0 in init_net, its link-netnsid is set to the id of >> netns1 in init_net. And when you dump veth1 in netns1, it's link-netnsid >> is set >> to the id of init_net in netns1. > > I've misunderstood the meaning of IFLA_LINK_NETNSID. I thought it indicates the > namespace an interface lives in, but it indicates the namespace it is linked too. Yes. > > I've also thought that the NETNSID is a global unique identifier of a namespace, > which seems to be wrong too. While I still not have read through all the > sources, the other comments are suggesting that the NSID is just an ID which is > unique only in one namespace, or in other words, every namespace has its own set > of nsids. I'm not sure if I'm now right with that assumption, but that's what I > now think after the responses to my mail. ;) Right, nsid are local to a netns. This allows to migrate a container. With a global id, that won't be possible. ifindex are local for the exact same purpose. > > So to conclude, I've now scheduled support for namespaces to a far later point. > It doesn't seem to be as easy as I've thought after having read the introductory > mail of your patch series. ;) The main goal of the series was to improve scalability ;-) Regards, Nicolas -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists