search for: init_net

..., I'm restarting to work on this topic since Kata guys are interested to have that, especially on the guest side. While working on the v2 I had few doubts, and I'd like to have your suggestions: 1. netns assigned to the device inside the guest Currently I assigned this device to 'init_net'. Maybe it is better if we allow the user to decide which netns assign to the device or to disable this new feature to have the same behavior as before (host reachable from any netns). I think we can handle this in the vsock core and not in the single transports. The simplest...

..., I'm restarting to work on this topic since Kata guys are interested to have that, especially on the guest side. While working on the v2 I had few doubts, and I'd like to have your suggestions: 1. netns assigned to the device inside the guest Currently I assigned this device to 'init_net'. Maybe it is better if we allow the user to decide which netns assign to the device or to disable this new feature to have the same behavior as before (host reachable from any netns). I think we can handle this in the vsock core and not in the single transports. The simplest...

...with CID_ANY - assign the same CID of VMs running in different network namespaces - partition VMs between VMMs or at finer granularity This preliminary implementation provides the following behavior: - packets received from the host (received by G2H transports) are assigned to the default netns (init_net) - packets received from the guest (received by H2G - vhost-vsock) are assigned to the netns of the process that opens /dev/vhost-vsock (usually the VMM, qemu in my tests, opens the /dev/vhost-vsock) - for vmci I need some suggestions, because I don't know how to do and test the s...

...with CID_ANY - assign the same CID of VMs running in different network namespaces - partition VMs between VMMs or at finer granularity This preliminary implementation provides the following behavior: - packets received from the host (received by G2H transports) are assigned to the default netns (init_net) - packets received from the guest (received by H2G - vhost-vsock) are assigned to the netns of the process that opens /dev/vhost-vsock (usually the VMM, qemu in my tests, opens the /dev/vhost-vsock) - for vmci I need some suggestions, because I don't know how to do and test the s...

...> Date: Tue, 11 Jul 2023 16:40:03 -0500 >> On 7/11/23 15:44, Andrew Lunn wrote: >> >>>>>> The current llc_rcv.c around line 166 in net/llc/llc_input.c has >> >>>>>> >> >>>>>> if (!net_eq(dev_net(dev), &init_net)) >> >>>>>> goto drop; >> >>>>>> >> >> Thank you! When you offer your patches, and you hear worries about being >> >> 'invasive', it's worth asking 'compared to what' -- since the 'st...

...same CID of VMs running in different network namespaces > - partition VMs between VMMs or at finer granularity > > This preliminary implementation provides the following behavior: > - packets received from the host (received by G2H transports) are > assigned to the default netns (init_net) > - packets received from the guest (received by H2G - vhost-vsock) are > assigned to the netns of the process that opens /dev/vhost-vsock > (usually the VMM, qemu in my tests, opens the /dev/vhost-vsock) > - for vmci I need some suggestions, because I don't know how to do...

...ic since Kata guys are interested to > have that, especially on the guest side. > > While working on the v2 I had few doubts, and I'd like to have your > suggestions: > > 1. netns assigned to the device inside the guest > > Currently I assigned this device to 'init_net'. Maybe it is better > if we allow the user to decide which netns assign to the device > or to disable this new feature to have the same behavior as before > (host reachable from any netns). > I think we can handle this in the vsock core and not in the single > tra...

...pic since Kata guys are interested to > have that, especially on the guest side. > > While working on the v2 I had few doubts, and I'd like to have your > suggestions: > > 1. netns assigned to the device inside the guest > > Currently I assigned this device to 'init_net'. Maybe it is better > if we allow the user to decide which netns assign to the device > or to disable this new feature to have the same behavior as before > (host reachable from any netns). > I think we can handle this in the vsock core and not in the single >...

...c > index a807996ac56b..b5143de37938 100644 > --- a/net/bridge/br_stp_if.c > +++ b/net/bridge/br_stp_if.c > @@ -201,10 +201,8 @@ int br_stp_set_enabled(struct net_bridge *br, unsigned long val, > { > ASSERT_RTNL(); > > - if (!net_eq(dev_net(br->dev), &init_net)) { > + if (!net_eq(dev_net(br->dev), &init_net)) > NL_SET_ERR_MSG_MOD(extack, "STP can't be enabled in non-root netns"); > - return -EINVAL; > - } > > if (br_mrp_enabled(br)) { > NL_SET_ER...

...non-privileged user can bind to and relatedly that there is no netns support so e.g. users in unproivileged containers can bind to any vsock port and talk to the host, which might be undesirable. For my use for now I just went with the big hammer approach of denying access from anything other than init_net namespace[1] while I consider what the right answer is. Ian. [0]?http://thread.gmane.org/gmane.comp.emulators.virtio.devel/1092 [1] >From 366c9c42afb9bd54f92f72518470c09e46f12e88 Mon Sep 17 00:00:00 2001 From: Ian Campbell <ian.campbell at docker.com> Date: Mon, 4 Apr 2016 14:50:10 +0100...

...> have that, especially on the guest side. > > > > While working on the v2 I had few doubts, and I'd like to have your > > suggestions: > > > > 1. netns assigned to the device inside the guest > > > > Currently I assigned this device to 'init_net'. Maybe it is better > > if we allow the user to decide which netns assign to the device > > or to disable this new feature to have the same behavior as before > > (host reachable from any netns). > > I think we can handle this in the vsock core and not i...

...git a/net/bridge/br_stp_if.c b/net/bridge/br_stp_if.c index 75204d36d7f9..a807996ac56b 100644 --- a/net/bridge/br_stp_if.c +++ b/net/bridge/br_stp_if.c @@ -201,6 +201,11 @@ int br_stp_set_enabled(struct net_bridge *br, unsigned long val, { ASSERT_RTNL(); + if (!net_eq(dev_net(br->dev), &init_net)) { + NL_SET_ERR_MSG_MOD(extack, "STP can't be enabled in non-root netns"); + return -EINVAL; + } + if (br_mrp_enabled(br)) { NL_SET_ERR_MSG_MOD(extack, "STP can't be enabled if MRP is already enabled"); -- 2.30.2

Right now, you can configure most bridge device parameters via sysfs. However, you cannot either: - add or remove bridge interfaces - add or remove physical interfaces from a bridge The attached patch set rectifies this. With this patch set, brctl (theoretically) becomes completely optional, much like ifenslave is now for bonding. (In fact, the idea for this patch, and the syntax used herein, is

...nclude <net/failover.h> #include "hyperv_net.h" @@ -1763,46 +1764,6 @@ static void netvsc_link_change(struct work_struct *w) rtnl_unlock(); } -static struct net_device *get_netvsc_bymac(const u8 *mac) -{ - struct net_device *dev; - - ASSERT_RTNL(); - - for_each_netdev(&init_net, dev) { - if (dev->netdev_ops != &device_ops) - continue; /* not a netvsc device */ - - if (ether_addr_equal(mac, dev->perm_addr)) - return dev; - } - - return NULL; -} - -static struct net_device *get_netvsc_byref(struct net_device *vf_netdev) -{ - struct net_device *dev; - - ASSER...

...de <net/net_failover.h> #include "hyperv_net.h" @@ -1763,46 +1764,6 @@ static void netvsc_link_change(struct work_struct *w) rtnl_unlock(); } -static struct net_device *get_netvsc_bymac(const u8 *mac) -{ - struct net_device *dev; - - ASSERT_RTNL(); - - for_each_netdev(&init_net, dev) { - if (dev->netdev_ops != &device_ops) - continue; /* not a netvsc device */ - - if (ether_addr_equal(mac, dev->perm_addr)) - return dev; - } - - return NULL; -} - -static struct net_device *get_netvsc_byref(struct net_device *vf_netdev) -{ - struct net_device *dev; - - ASSER...

...de <net/net_failover.h> #include "hyperv_net.h" @@ -1763,46 +1764,6 @@ static void netvsc_link_change(struct work_struct *w) rtnl_unlock(); } -static struct net_device *get_netvsc_bymac(const u8 *mac) -{ - struct net_device *dev; - - ASSERT_RTNL(); - - for_each_netdev(&init_net, dev) { - if (dev->netdev_ops != &device_ops) - continue; /* not a netvsc device */ - - if (ether_addr_equal(mac, dev->perm_addr)) - return dev; - } - - return NULL; -} - -static struct net_device *get_netvsc_byref(struct net_device *vf_netdev) -{ - struct net_device *dev; - - ASSER...

...can bind to and > relatedly that there is no netns support so e.g. users in unproivileged > containers can bind to any vsock port and talk to the host, which might > be undesirable. For my use for now I just went with the big hammer > approach of denying access from anything other than init_net > namespace[1] while I consider what the right answer is. From the vhost point of view each netns should have its own AF_VSOCK namespace. This way two containers could act as "the host" (CID 2) for their respective guests. -------------- next part -------------- A non-text attachment...

...can bind to and > relatedly that there is no netns support so e.g. users in unproivileged > containers can bind to any vsock port and talk to the host, which might > be undesirable. For my use for now I just went with the big hammer > approach of denying access from anything other than init_net > namespace[1] while I consider what the right answer is. From the vhost point of view each netns should have its own AF_VSOCK namespace. This way two containers could act as "the host" (CID 2) for their respective guests. -------------- next part -------------- A non-text attachment...

...nclude <net/failover.h> #include "hyperv_net.h" @@ -1763,46 +1764,6 @@ static void netvsc_link_change(struct work_struct *w) rtnl_unlock(); } -static struct net_device *get_netvsc_bymac(const u8 *mac) -{ - struct net_device *dev; - - ASSERT_RTNL(); - - for_each_netdev(&init_net, dev) { - if (dev->netdev_ops != &device_ops) - continue; /* not a netvsc device */ - - if (ether_addr_equal(mac, dev->perm_addr)) - return dev; - } - - return NULL; -} - -static struct net_device *get_netvsc_byref(struct net_device *vf_netdev) -{ - struct net_device *dev; - - ASSER...

...#include <net/bypass.h> #include "hyperv_net.h" @@ -1763,46 +1764,6 @@ static void netvsc_link_change(struct work_struct *w) rtnl_unlock(); } -static struct net_device *get_netvsc_bymac(const u8 *mac) -{ - struct net_device *dev; - - ASSERT_RTNL(); - - for_each_netdev(&init_net, dev) { - if (dev->netdev_ops != &device_ops) - continue; /* not a netvsc device */ - - if (ether_addr_equal(mac, dev->perm_addr)) - return dev; - } - - return NULL; -} - -static struct net_device *get_netvsc_byref(struct net_device *vf_netdev) -{ - struct net_device *dev; - - ASSER...