OpenVZ Forum: Devel » dev_change_netns on a tunnel device

Home » Mailing lists » Devel » dev_change_netns on a tunnel device

Show: Today's Messages :: Show Polls :: Message Navigator
E-mail to friend

Re: dev_change_netns on a tunnel device [message #19023 is a reply to message #18980]

Tue, 19 June 2007 19:01

Sapan Bhatia
Messages: 2
Registered: June 2007

Junior Member

> - Because the directing of packets is based on ip address and multiple
>   network namespaces are allowed to use the same ip addresses then
>   the decode needs to take the network namespace into account.


Hm, but a tunnel device can belong to only one namespace, so shouldn't this
get handled automatically, since packet flow upstream of the tunnel is
handled by the container route table?

So eg. if we have tunnel ipip0 in container X, with endpoints bound to eth0
in init_net, then encapsulated packets intercepted by the tunnel show up in
on ipip0, which if my understanding is correct, should be able to have an
address collision with a device in another container, since the other
address doesn't show up in the local route table.

- The only thing that would prevent the migration semantics from being
>   correct is if you could manipulate a migrated tunnel in such a way that
> you
>   could do something nasty to the source namespace.
>
  Since a tunnel change command is also a tunnel rename command that should
>   force any ipip tunnel into using ip addresses from the current
>   namespace, which makes it safe, and thus unable to affect the source
>   namespace.


One example of a safety violation is that in GRE, the key participates in
routing, and one might be able to set it so that a container sneaks its
packets into another tunnel that it doesn't own. Don't know if 'ip tunnel'
can be used to do other bad things.

There might also be some applications that assume the semantics in which the
backend and frontend are in the same container. eg. the  OSPF daemon of
QUAGGA for some reason binds to the 'local' endpoint of a GRE tunnel instead
of the address assigned to the interface, and inside a container, fails with
a "No such device". We're looking into this right now.

So semantically I believe the tunnel semantics are essentially
> correct.  However I believe there are several places where the code
> needs to be updated to correctly implement those semantics.
>
> Eric
>

Ok.

Thank you,
Sapan

_______________________________________________
Containers mailing list
Containers@lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers

Report message to a moderator

[Message index]

		dev_change_netns on a tunnel device By: Sapan Bhatia on Mon, 18 June 2007 05:01
		Re: dev_change_netns on a tunnel device By: ebiederm on Tue, 19 June 2007 17:07
		Re: dev_change_netns on a tunnel device By: ebiederm on Tue, 19 June 2007 19:37
		Re: dev_change_netns on a tunnel device By: Sapan Bhatia on Tue, 19 June 2007 19:01

Previous Topic:	Re: New pid namespaces patches testing
Next Topic:	[PATCH] diskquota: 32bit quota tools on 64bit architectures

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

] [

]

Current Time: Thu Sep 04 05:59:36 GMT 2025

Total time taken to generate the page: 0.11131 seconds