OpenVZ Forum: Devel » [RFC] network namespaces

Home » Mailing lists » Devel » [RFC] network namespaces

Show: Today's Messages :: Show Polls :: Message Navigator
E-mail to friend

Re: [RFC] network namespaces [message #6007 is a reply to message #6006]

Wed, 06 September 2006 18:34

ebiederm
Messages: 1354
Registered: February 2006

Senior Member

Kir Kolyshkin <kir@openvz.org> writes:

> Herbert Poetzl wrote:
>> my point (until we have an implementation which clearly
>> shows that performance is equal/better to isolation)
>> is simply this:
>>
>> of course, you can 'simulate' or 'construct' all the
>> isolation scenarios with kernel bridging and routing
>> and tricky injection/marking of packets, but, this
>> usually comes with an overhead ...
>>
> Well, TANSTAAFL*, and pretty much everything comes with an overhead.
> Multitasking comes with the (scheduler, context switch, CPU cache, etc.)
> overhead -- is that the reason to abandon it? OpenVZ and Linux-VServer
> resource management also adds some overhead -- do we want to throw it away?
>
> The question is not just "equal or better performance", the question is
> "what do we get and how much we pay for it".

Equal or better performance is certainly required when we have the code
compiled in but aren't using it. We must not penalize the current code.

> Finally, as I understand both network isolation and network
> virtualization (both level2 and level3) can happily co-exist. We do have
> several filesystems in kernel. Let's have several network virtualization
> approaches, and let a user choose. Is that makes sense?

If there are not compelling arguments for using both ways of doing
it is silly to merge both, as it is more maintenance overhead.

That said I think there is a real chance if we can look at the bind
filtering and find a way to express that in the networking stack
through iptables. Using the security hooks conflicts with things
like selinux. Although it would be interesting to see if selinux
can already implement general purpose layer 3 filtering.

The more I look the gut feel I have is that the way to proceed would
be to add a new table that filters binds, and connects. Plus a new
module that would look at a process creating a socket and tell us if
it is the appropriate group of processes. With a little care that
would be a general solution to the layer 3 filtering problem.

Eric

Report message to a moderator

[Message index]

		[RFC] network namespaces By: Andrey Savochkin on Tue, 15 August 2006 14:20
		[PATCH 1/9] network namespaces: core and device list By: Andrey Savochkin on Tue, 15 August 2006 14:48
		Re: [PATCH 1/9] network namespaces: core and device list By: Dave Hansen on Wed, 16 August 2006 14:46
		Re: [PATCH 1/9] network namespaces: core and device list By: Stephen Hemminger on Wed, 16 August 2006 16:45
		[PATCH 2/9] network namespaces: IPv4 routing By: Andrey Savochkin on Tue, 15 August 2006 14:48
		[PATCH 6/9] allow proc_dir_entries to have destructor By: Andrey Savochkin on Tue, 15 August 2006 14:48
		[PATCH 5/9] network namespaces: async socket operations By: Andrey Savochkin on Tue, 15 August 2006 14:48
		Re: [PATCH 5/9] network namespaces: async socket operations By: Daniel Lezcano on Fri, 22 September 2006 15:33
		Re: [PATCH 5/9] network namespaces: async socket operations By: Andrey Savochkin on Sat, 23 September 2006 13:16
		[PATCH 7/9] net_device seq_file By: Andrey Savochkin on Tue, 15 August 2006 14:48
		[PATCH 8/9] network namespaces: device to pass packets between namespaces By: Andrey Savochkin on Tue, 15 August 2006 14:48
		[PATCH 4/9] network namespaces: socket hashes By: Andrey Savochkin on Tue, 15 August 2006 14:48
		Re: [PATCH 4/9] network namespaces: socket hashes By: Daniel Lezcano on Mon, 18 September 2006 15:12
		Re: [PATCH 4/9] network namespaces: socket hashes By: Andrey Savochkin on Wed, 20 September 2006 16:32
		Re: [PATCH 4/9] network namespaces: socket hashes By: Daniel Lezcano on Thu, 21 September 2006 12:34
		[PATCH 9/9] network namespaces: playing with pass-through device By: Andrey Savochkin on Tue, 15 August 2006 14:48
		Re: [RFC] network namespaces By: serue on Wed, 16 August 2006 11:53
		Re: [RFC] network namespaces By: Alexey Kuznetsov on Wed, 16 August 2006 15:12
		Re: [RFC] network namespaces By: ebiederm on Wed, 16 August 2006 17:35
		Re: [RFC] network namespaces By: dev on Thu, 17 August 2006 08:28
		Re: [RFC] network namespaces By: Daniel Lezcano on Tue, 05 September 2006 13:34
		Re: [RFC] network namespaces By: ebiederm on Tue, 05 September 2006 14:45
		Re: [RFC] network namespaces By: Herbert Poetzl on Tue, 05 September 2006 16:53
		Re: [RFC] network namespaces By: Daniel Lezcano on Wed, 06 September 2006 09:10
		Re: [RFC] network namespaces By: Herbert Poetzl on Wed, 06 September 2006 16:56
		Re: Re: [RFC] network namespaces By: kir on Wed, 06 September 2006 17:36
		Re: [RFC] network namespaces By: ebiederm on Wed, 06 September 2006 18:34
		Re: [RFC] network namespaces By: kir on Wed, 06 September 2006 18:56
		Re: [RFC] network namespaces By: Cedric Le Goater on Wed, 06 September 2006 20:53
		RE: [RFC] network namespaces By: Caitlin Bestler on Wed, 06 September 2006 23:06
		Re: [RFC] network namespaces By: Daniel Lezcano on Thu, 07 September 2006 08:25
		Re: [RFC] network namespaces By: ebiederm on Thu, 07 September 2006 18:29
		Re: [RFC] network namespaces By: Herbert Poetzl on Fri, 08 September 2006 06:02
		Re: Re: [RFC] network namespaces By: dev on Thu, 07 September 2006 16:20
		Re: Re: [RFC] network namespaces By: Herbert Poetzl on Thu, 07 September 2006 17:27
		Re: Re: [RFC] network namespaces By: Mishin Dmitry on Fri, 08 September 2006 13:10
		Re: Re: [RFC] network namespaces By: Herbert Poetzl on Fri, 08 September 2006 18:11
		Re: Re: [RFC] network namespaces By: Mishin Dmitry on Sat, 09 September 2006 07:57
		Re: Re: [RFC] network namespaces By: Herbert Poetzl on Sun, 10 September 2006 02:47
		Re: Re: [RFC] network namespaces By: Mishin Dmitry on Sun, 10 September 2006 07:45
		Re: Re: [RFC] network namespaces By: Herbert Poetzl on Sun, 10 September 2006 19:22
		Re: [RFC] network namespaces By: ebiederm on Tue, 12 September 2006 03:26
		Re: Re: [RFC] network namespaces By: ebiederm on Sun, 10 September 2006 03:41
		Re: Re: [RFC] network namespaces By: Mishin Dmitry on Sun, 10 September 2006 08:11
		Re: Re: [RFC] network namespaces By: Herbert Poetzl on Sun, 10 September 2006 19:19
		Re: Re: [RFC] network namespaces By: Daniel Lezcano on Mon, 11 September 2006 14:40
		Re: Re: [RFC] network namespaces By: Herbert Poetzl on Mon, 11 September 2006 14:57
		Re: Re: [RFC] network namespaces By: Daniel Lezcano on Mon, 11 September 2006 15:04
		Re: Re: [RFC] network namespaces By: Mishin Dmitry on Mon, 11 September 2006 15:10
		Re: [RFC] network namespaces By: ebiederm on Tue, 12 September 2006 03:28
		Re: [RFC] network namespaces By: Mishin Dmitry on Tue, 12 September 2006 07:38
		Re: Re: [RFC] network namespaces By: ebiederm on Thu, 07 September 2006 19:50
		Re: Re: [RFC] network namespaces By: Daniel Lezcano on Wed, 06 September 2006 21:44
		Re: [RFC] network namespaces By: ebiederm on Wed, 06 September 2006 17:58
		Re: [RFC] network namespaces By: ebiederm on Tue, 05 September 2006 18:27
		Re: [RFC] network namespaces By: dev on Wed, 06 September 2006 14:52
		Re: [RFC] network namespaces By: Daniel Lezcano on Tue, 05 September 2006 15:32
		Re: [RFC] network namespaces By: dev on Tue, 05 September 2006 15:44
		Re: [RFC] network namespaces By: ebiederm on Tue, 05 September 2006 17:09
		Re: [RFC] network namespaces By: Cedric Le Goater on Wed, 06 September 2006 20:25
		Re: Re: [RFC] network namespaces By: kir on Wed, 06 September 2006 15:09
		Re: [RFC] network namespaces By: ebiederm on Wed, 06 September 2006 20:40
		Re: [RFC] network namespaces By: ebiederm on Wed, 06 September 2006 23:25
		Re: [RFC] network namespaces By: Stephen Hemminger on Thu, 07 September 2006 00:53
		Re: [RFC] network namespaces By: ebiederm on Thu, 07 September 2006 05:11
		Re: [RFC] network namespaces By: Daniel Lezcano on Wed, 04 October 2006 09:40
		Re: [RFC] network namespaces By: ebiederm on Sun, 10 September 2006 11:48

Previous Topic:	[PATCH 2.6.18] ext2: errors behaviour fix
Next Topic:	64bit DMA in i2o_block

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

] [

]

Current Time: Sat Jul 12 04:21:29 GMT 2025

Total time taken to generate the page: 0.01331 seconds