Re: Network namespaces a path to mergable code.

Daniel Lezcano <[email protected]> writes:

> Andrey Savochkin wrote:
>
>> Ok, fine.
>> Now I'm working on socket code.
>> We still have a question about implicit vs explicit function parameters.
>> This question becomes more important for sockets: if we want to allow to use
>> sockets belonging to namespaces other than the current one, we need to do
>> something about it.
>> One possible option to resolve this question is to show 2 relatively short
>> patches just introducing namespaces for sockets in 2 ways: with explicit
>> function parameters and using implicit current context.
>> Then people can compare them and vote.
>> Do you think it's worth the effort?
>>
>
> The attached patch can have some part interesting for you for the socket
> tagging. It is in the IPV4 isolation (part 5/6). With this and the private
> routing table you will probably have a good IPV4 isolation.
> This patch partially isolates ipv4 by adding the network namespace
> structure in the structure sock, bind bucket and skbuf.

Ugh.  skbuf sounds very wrong.  Per packet overhead?

> When a socket
> is created, the pointer to the network namespace is stored in the
> struct sock and the socket belongs to the namespace by this way. That
> allows to identify sockets related to a namespace for lookup and
> procfs. 
>
> The lookup is extended with a network namespace pointer, in
> order to identify listen points binded to the same port. That allows
> to have several applications binded to INADDR_ANY:port in different
> network namespace without conflicting. The bind is checked against
> port and network namespace.

Yes.  If we don't duplicate the hash table we need to extend the lookup.

> When an outgoing packet has the loopback destination addres, the
> skbuff is filled with the network namespace. So the loopback packets
> never go outside the namespace. This approach facilitate the migration
> of loopback because identification is done by network namespace and
> not by address. The loopback has been benchmarked by tbench and the
> overhead is roughly 1.5 %

Ugh.  1.5% is noticeable.

I think it is cheaper to have one loopback device per namespace.
Which removes the need for a skbuff tag.

Eric
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

---

• Follow-Ups:
  • Re: Network namespaces a path to mergable code.
    • From: Daniel Lezcano <[email protected]>

• References:
  • [patch 1/4] Network namespaces: cleanup of dev_base list use
    • From: Andrey Savochkin <[email protected]>
  • [RFC] Network namespaces a path to mergable code.
    • From: [email protected] (Eric W. Biederman)
  • Re: Network namespaces a path to mergable code.
    • From: Andrey Savochkin <[email protected]>
  • Re: Network namespaces a path to mergable code.
    • From: [email protected] (Eric W. Biederman)
  • Re: Network namespaces a path to mergable code.
    • From: Andrey Savochkin <[email protected]>
  • Re: Network namespaces a path to mergable code.
    • From: Daniel Lezcano <[email protected]>

• Prev by Date: Re: Incorrect CPU process accounting using CONFIG_HZ=100
• Next by Date: Re: klibc and what's the next step?
• Previous by thread: Re: Network namespaces a path to mergable code.
• Next by thread: Re: Network namespaces a path to mergable code.
• Index(es):
  • Date
  • Thread

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]