lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAMDZJNX9kVm+6f6=-+O4QfNS2yaBj2ZDuJ-hG-p2Yi-4yxfA_A@mail.gmail.com>
Date:   Thu, 17 Jan 2019 19:12:16 +0800
From:   Tonghao Zhang <xiangxia.m.yue@...il.com>
To:     nicolas.dichtel@...nd.com
Cc:     David Miller <davem@...emloft.net>,
        Cong Wang <xiyou.wangcong@...il.com>,
        Linux Kernel Network Developers <netdev@...r.kernel.org>
Subject: Re: [PATCH RESEND net-next v2] net: ipv4: allocate ipv4_devconf
 memory for init_net

On Thu, Jan 17, 2019 at 4:25 PM Nicolas Dichtel
<nicolas.dichtel@...nd.com> wrote:
>
> Le 16/01/2019 à 09:53, xiangxia.m.yue@...il.com a écrit :
> > From: Tonghao Zhang <xiangxia.m.yue@...il.com>
> >
> > The devconf setting on the init_net will affect other
> > namespace when them created. For example:
> >
> > $ cat /proc/sys/net/ipv4/conf/all/rp_filter
> > 0
> > $ echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
> > $ cat /proc/sys/net/ipv4/conf/all/rp_filter
> > 2
> >
> > $ ip netns add ns100
> > $ ip netns exec ns100 bash
> > $ cat /proc/sys/net/ipv4/conf/all/rp_filter
> > 2
> >
> > The value of rp_filter in the ns100, should be 0 as
> > default, but it is 2 same as _init_net_.
> This problem has already been discussed in the past. We cannot change anymore
> the current behavior, some users are relying on it.
Sorry, I don't know that some users rely on it and I send that patch
again. In our case,

there are many containers, on host, where running the
different type containers and applications. We don't know what network
configuration
user will set. The new containers don't inherit our host configuration.

* host _init_net_ may be used as a complex network. (the rp_filter, arp_ignore
  and arp_announce may be used.) but containers use them as default.
Host network
  configuration should not affect containers.
* containers and host network configuration are complete isolation.

so, we should support configuration for user, inherit _init_net_ value or not ?

>
> Regards,
> Nicolas

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ