lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20150724162723.GA32909@Alexeis-MBP.westell.com>
Date:	Fri, 24 Jul 2015 09:27:25 -0700
From:	Alexei Starovoitov <alexei.starovoitov@...il.com>
To:	Eric Dumazet <eric.dumazet@...il.com>
Cc:	Nicolas Dichtel <nicolas.dichtel@...nd.com>, davem@...emloft.net,
	netdev@...r.kernel.org, roopa@...ulusnetworks.com, tgraf@...g.ch
Subject: Re: [PATCH net-next v2] route: allow to route in a peer netns via
 lwt framework

On Fri, Jul 24, 2015 at 05:39:57PM +0200, Eric Dumazet wrote:
> 
> On Fri, 2015-07-24 at 16:16 +0200, Nicolas Dichtel wrote:
> > This patch takes advantage of the newly added lwtunnel framework to
> > allow the user to set routes that point to a peer netns.
> > 
> > Packets are injected to the peer netns via the loopback device. It works
> > only when the output device is 'lo'.
> > 
> > Example:
> > ip route add 40.1.1.1/32 encap netns nsid 5 via dev lo
> > 
> 
> Is this feature so badly wanted to add complexity on lo device ?
...
> >  static netdev_tx_t loopback_xmit(struct sk_buff *skb,
> >  				 struct net_device *dev)
...
> > +	if (nsid != NETNSA_NSID_NOT_ASSIGNED) {
> > +		peernet = get_net_ns_by_id(dev_net(dev), nsid);
> > +		if (!peernet) {
> > +			kfree_skb(skb);
> > +			goto end;
> > +		}
> > +
> > +		/* it's OK to use per_cpu_ptr() because BHs are off */
> > +		lb_stats = this_cpu_ptr(peernet->loopback_dev->lstats);
> > +		ret = dev_forward_skb(peernet->loopback_dev, skb);

have the same concern as Eric.
Using loopback for this looks wrong.
netns suppose to look like host, but I cannot imagine a host
without NICs seeing packets on loopback from another world.
Then how the opposite direction suppose to work?
netns will setup a route to send packets to loopback of the host?!
The idea of using routing to forward packets to namespaces is great,
but I think we need something else instead of loopback.

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ