Re: [patch 2/6] [Network namespace] Network device sharing by view

On Mon, Jun 26, 2006 at 10:40:59AM -0600, Eric W. Biederman wrote:
> Daniel Lezcano <[email protected]> writes:
> 
> >> Then you lose the ability for each namespace to have its own
> >> routing entries. Which implies that you'll have difficulties with
> >> devices that should exist and be visible in one namespace only
> >> (like tunnels), as they require IP addresses and route.
> >
> > I mean instead of having the route tables private to the namespace, the routes
> > have the information to which namespace they are associated.
> 
> Is this an implementation difference or is this a user visible
> difference? As an implementation difference this is sensible, as it is
> pretty insane to allocate hash tables at run time.
>
> As a user visible difference that affects semantics of the operations
> this is not something we want to do.

well, I guess there are even more options here, for
example I'd like to propose the following idea, which
might be a viable solution for the policy/isolation
problem, with the actual overhead on the setup part
not the hot pathes for packet and connection handling

we could use the multiple routing tables to provide
a single routing table for each guest, which could
be used inside the guest to add arbitrary routes, but
would allow to keep the 'main' policy on the host, by
selecting the proper table based on IPs and guest tags

similar we could allow to have a separate iptables
chain for each guest (or several chains), which are
once again directed by the host system (applying the
required prolicy) which can be managed and configured
via normal iptable interfaces (both on the guest and
host) but actually provide at least to layers

note: this does not work for hierarchical network
contexts, but I do not see that the yet proposed
implementations would do, so I do not think that
is of concern here ...

best,
Herbert

> Eric
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

---

• Follow-Ups:
  • Re: [patch 2/6] [Network namespace] Network device sharing by view
    • From: [email protected] (Eric W. Biederman)

• References:
  • [RFC] [patch 0/6] [Network namespace] introduction
    • From: [email protected]
  • [RFC] [patch 2/6] [Network namespace] Network device sharing by view
    • From: [email protected]
  • Re: [patch 2/6] [Network namespace] Network device sharing by view
    • From: Andrey Savochkin <[email protected]>
  • Re: [patch 2/6] [Network namespace] Network device sharing by view
    • From: Daniel Lezcano <[email protected]>
  • Re: [patch 2/6] [Network namespace] Network device sharing by view
    • From: Andrey Savochkin <[email protected]>
  • Re: [patch 2/6] [Network namespace] Network device sharing by view
    • From: Daniel Lezcano <[email protected]>
  • Re: [patch 2/6] [Network namespace] Network device sharing by view
    • From: [email protected] (Eric W. Biederman)

• Prev by Date: Re: [patch 2/6] [Network namespace] Network device sharing by view
• Next by Date: please revert kthread from loop.c
• Previous by thread: Re: [patch 2/6] [Network namespace] Network device sharing by view
• Next by thread: Re: [patch 2/6] [Network namespace] Network device sharing by view
• Index(es):
  • Date
  • Thread

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]