lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <2c561928-1052-4c33-848d-ed7b81e920cf@gmail.com>
Date:   Wed, 28 Aug 2019 15:26:03 -0600
From:   David Ahern <dsahern@...il.com>
To:     Jiri Pirko <jiri@...nulli.us>, David Ahern <dsahern@...nel.org>
Cc:     davem@...emloft.net, netdev@...r.kernel.org
Subject: Re: [PATCH net] netdevsim: Restore per-network namespace accounting
 for fib entries

On 8/28/19 4:37 AM, Jiri Pirko wrote:
> Tue, Aug 06, 2019 at 09:15:17PM CEST, dsahern@...nel.org wrote:
>> From: David Ahern <dsahern@...il.com>
>>
>> Prior to the commit in the fixes tag, the resource controller in netdevsim
>> tracked fib entries and rules per network namespace. Restore that behavior.
> 
> David, please help me understand. If the counters are per-device, not
> per-netns, they are both the same. If we have device (devlink instance)
> is in a netns and take only things happening in this netns into account,
> it should count exactly the same amount of fib entries, doesn't it?

if you are only changing where the counters are stored - net_generic vs
devlink private - then yes, they should be equivalent.

> 
> I re-thinked the devlink netns patchset and currently I'm going in
> slightly different direction. I'm having netns as an attribute of
> devlink reload. So all the port netdevices and everything gets
> re-instantiated into new netns. Works fine with mlxsw. There we also
> re-register the fib notifier.
> 
> I think that this can work for your usecase in netdevsim too:
> 1) devlink instance is registering a fib notifier to track all fib
>    entries in a namespace it belongs to. The counters are per-device -
>    counting fib entries in a namespace the device is in.
> 2) another devlink instance can do the same tracking in the same
>    namespace. No problem, it's a separate counter, but the numbers are
>    the same. One can set different limits to different devlink
>    instances, but you can have only one. That is the bahaviour you have
>    now.
> 3) on devlink reload, netdevsim re-instantiates ports and re-registers
>    fib notifier
> 4) on devlink reload with netns change, all should be fine as the
>    re-registered fib nofitier replays the entries. The ports are
>    re-instatiated in new netns.
> 
> This way, we would get consistent behaviour between netdevsim and real
> devices (mlxsw), correct devlink-netns implementation (you also
> suggested to move ports to the namespace). Everyone should be happy.
> 
> What do you think?
> 

Right now, registering the fib notifier walks all namespaces. That is
not a scalable solution. Are you changing that to replay only a given
netns? Are you changing the notifiers to be per-namespace?

Also, you are still allowing devlink instances to be created within a
namespace?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ