Arnd Bergmann wrote:
On Monday 11 August 2008, Dave Hansen wrote:
Thanks for all of the very interesting comments about the ABI.
Considering that we're still *really* early in getting this concept
merged up into mainline, what do you all think we should do now?
I think the two most
Greg the first 4 patches are the rest of the infrastructure.
Everything rebased quite nicely. All of the conflicts appear
to have been false positives.
With the addition of sysfs_rename_link sysfs_create_link_nowarn
is never called so we can remove it.
I'm not really certain whose tree the
From: [EMAIL PROTECTED] (Eric W. Biederman)
Date: Wed, 20 Aug 2008 23:31:00 -0700
Greg the first 4 patches are the rest of the infrastructure.
Everything rebased quite nicely. All of the conflicts appear
to have been false positives.
With the addition of sysfs_rename_link
All of the uses have been replaced by sysfs_rename_link which
is a clearer primitive to is also needed for the tagged directory
support.
Signed-off-by: Eric W. Biederman [EMAIL PROTECTED]
---
fs/sysfs/symlink.c| 15 ---
include/linux/sysfs.h | 10 --
2 files changed,
This reverts commit aaf8cdc34ddba08122f02217d9d684e2f9f5d575.
Drivers like the ipw2100 call device_create_group when they
are initialized and device_remove_group when they are shutdown.
Moving them between namespaces deletes their sysfs groups early.
In particular the following call chain
When removing a symlink sysfs_remove_link does not provide
enough information to figure out which tagged directory the symlink
falls in. So I need sysfs_delete_link which is passed the target
of the symlink to delete.
Further half the time when we are removing a symlink the code is
actually
The problem. Network devices show up in sysfs and with the network
namespace active multiple devices with the same name can show up in
the same directory, ouch!
To avoid that problem and allow existing applications in network namespaces
to see the same interface that is currently presented in
From: [EMAIL PROTECTED] (Eric W. Biederman)
Date: Wed, 20 Aug 2008 23:38:31 -0700
This reverts commit aaf8cdc34ddba08122f02217d9d684e2f9f5d575.
Drivers like the ipw2100 call device_create_group when they
are initialized and device_remove_group when they are shutdown.
Moving them between
From: [EMAIL PROTECTED] (Eric W. Biederman)
Date: Wed, 20 Aug 2008 23:39:13 -0700
The problem. Network devices show up in sysfs and with the network
namespace active multiple devices with the same name can show up in
the same directory, ouch!
To avoid that problem and allow existing
* Oren Laadan [EMAIL PROTECTED] wrote:
checkpoint/ckpt_x86.c | 28
checkpoint/rstr_x86.c |2 +
please move these into arch/x86/mm/checkpoint.c and
arch/x86/mm/restore.c. (also, please dont try to abbreviate too much in
filenames, makes it harder to follow changes later on,
The problem. When implementing a network namespace I need to be able
to have multiple network devices with the same name. Currently this
is a problem for /sys/class/net/*, /sys/devices/virtual/net/*, and
potentially a few other directories of the form /sys/ ... /net/*.
What this patch does is
These two functions do 90% of the same work and it doesn't significantly
obfuscate the function to allow both the parent dir and the name to change
at the same time. So merge them together to simplify maintenance, and
increase testing.
Signed-off-by: Eric W. Biederman [EMAIL PROTECTED]
---
On Thursday 21 August 2008, Oren Laadan wrote:
Arnd Bergmann wrote:
Extending this view in the context of security - we can require sysadmin
privilege to restart, and then sysadmin is responsible for the contents
of the file. The kernel will ensure the the data isn't corrupted. Much
like
On Wed, Aug 20, 2008 at 11:04:13PM -0400, Oren Laadan wrote:
Add those interfaces, as well as helpers needed to easily manage the
file format. The code is roughly broken out as follows:
ckpt/sys.c - user/kernel data transfer, as well as setup of the
checkpoint/restart context (a
On Wed, 20 Aug 2008 19:26:21 -0700
[EMAIL PROTECTED] wrote:
From: Sukadev Bhattiprolu [EMAIL PROTECTED]
Subject: [RFC][PATCH 1/8]: /dev/tty tweak in init_dev()
When opening /dev/tty, __tty_open() finds the tty using get_current_tty().
When __tty_open() calls init_dev() it passes in this
This patch has the kernel internally create the [ptmx, c, 5:2] device
when mounting devpts filesystem. The permissions for the device node
can be specified by the '-o ptmx_mode=0666' option. The default mode
is 0666.
NAK
Hopefully, presence of the 'ptmx' node in /dev/pts does not
Summary from the tty side:
- tty changes as proposed are an ugly hack
- I'm opposed to magically producing device nodes that were not there
before
- the pty driver doesn't use -driver_data which is probably what you
want for some of the back walking
- tty and pty code in this area is currently in
On Wed, Aug 20, 2008 at 11:05:15PM -0400, Oren Laadan wrote:
For each VMA, there is a 'struct cr_vma'; if the VMA is file-mapped,
it will be followed by the file name. The cr_vma-npages will tell
how many pages were dumped for this VMA. Then it will be followed
by the actual data: first a
On Wed, Aug 20, 2008 at 11:05:39PM -0400, Oren Laadan wrote:
Restoring the memory address space begins with nuking the existing one
of the current process, and then reading the VMA state and contents.
Call do_mmap_pgoffset() for each VMA and then read in the data.
[...]
diff --git
Ingo Molnar wrote:
* Oren Laadan [EMAIL PROTECTED] wrote:
checkpoint/ckpt_x86.c | 28
checkpoint/rstr_x86.c |2 +
please move these into arch/x86/mm/checkpoint.c and
arch/x86/mm/restore.c. (also, please dont try to abbreviate too much in
filenames, makes it harder to
Fernando Luis Vázquez Cao wrote:
Hi Balbir,
On Thu, 2008-08-21 at 09:02 +0530, Balbir Singh wrote:
Fernando Luis Vázquez Cao wrote:
On Wed, 2008-08-20 at 20:48 +0900, Hirokazu Takahashi wrote:
Hi,
Tsuruta-san, how about your bio-cgroup's tracking concerning this?
If we want to use your
From: Serge Hallyn [EMAIL PROTECTED]
Mark the /sys/kernel/uids directory to be tagged so that processes in
different user namespaces can remount /sys and see their own uid
listings.
Without this patch, having CONFIG_FAIR_SCHED=y makes user namespaces
unusable, because when you
On Wed, Aug 20, 2008 at 11:06:50PM -0400, Oren Laadan wrote:
Infrastructure to handle objects that may be shared and referenced by
multiple tasks or other objects, e..g open files, memory address space
etc.
The state of shared objects is saved once. On the first encounter, the
state is
On Wed, Aug 20, 2008 at 11:07:16PM -0400, Oren Laadan wrote:
Dump the files_struct of a task with 'struct cr_hdr_files', followed by
all open file descriptors. Since FDs can be shared, they are assigned a
tag and registered in the object hash.
For each open FD there is a 'struct
* Balbir Singh [EMAIL PROTECTED] wrote:
Ingo Molnar wrote:
* Oren Laadan [EMAIL PROTECTED] wrote:
checkpoint/ckpt_x86.c | 28
checkpoint/rstr_x86.c |2 +
please move these into arch/x86/mm/checkpoint.c and
arch/x86/mm/restore.c. (also, please dont try to
This patch enables tagging on every class directory if struct class
has a tag_type.
In addition device_del and device_rename were modified to use
sysfs_delete_link and sysfs_rename_link respectively to ensure
when these operations happen on devices whose classes have
tag_ops that they work
Alan Cox wrote:
This patch has the kernel internally create the [ptmx, c, 5:2] device
when mounting devpts filesystem. The permissions for the device node
can be specified by the '-o ptmx_mode=0666' option. The default mode
is 0666.
NAK
Hopefully, presence of the 'ptmx' node in
(switched to email. Please respond via emailed reply-to-all, not via the
bugzilla web interface).
On Thu, 21 Aug 2008 05:58:52 -0700 (PDT) [EMAIL PROTECTED] wrote:
http://bugzilla.kernel.org/show_bug.cgi?id=11391
Summary: Kernel NULL pointer dereference in do_notify_parent()
H. Peter Anvin wrote:
[EMAIL PROTECTED] wrote:
I don't like the name newmnt for the option; it is not just another
mount, but a whole new instance of the pty space.
I agree. Its mostly a place-holder for now. How about newns or newptsns ?
I suggest newinstance, but newns works, too.
Cedric Le Goater wrote:
I suggest newinstance, but newns works, too.
Could we also use this mount option to 'unshare' a new posix message queue
namespace ?
Sorry, I fail to see the connection with devpts here? Are you
suggesting using the same option for another filesystem (if so,
Arnd Bergmann wrote:
On Thursday 21 August 2008, Oren Laadan wrote:
Using a single handle (crid or a special file descriptor) to identify
the whole checkpoint is very useful - to be able to stream it (eg. over
the network, or through filters). It is also very important for future
features
auto-created, than supporting mknod(2) inside the devpts filesystem.
It's not a matter of changing the user space; it's a matter of what
makes most sense inside the kernel.
Having an extra node with different permissions suddenely appear without
warning isn't I think good behaviour. I'm open
Alan Cox wrote:
auto-created, than supporting mknod(2) inside the devpts filesystem.
It's not a matter of changing the user space; it's a matter of what
makes most sense inside the kernel.
Having an extra node with different permissions suddenely appear without
warning isn't I think good
Cedric Le Goater wrote:
H. Peter Anvin wrote:
Cedric Le Goater wrote:
I suggest newinstance, but newns works, too.
Could we also use this mount option to 'unshare' a new posix message
queue namespace ?
Sorry, I fail to see the connection with devpts here? Are you
suggesting using the same
H. Peter Anvin wrote:
Cedric Le Goater wrote:
I suggest newinstance, but newns works, too.
Could we also use this mount option to 'unshare' a new posix message
queue namespace ?
Sorry, I fail to see the connection with devpts here? Are you
suggesting using the same option for another
Quoting H. Peter Anvin ([EMAIL PROTECTED]):
Alan Cox wrote:
auto-created, than supporting mknod(2) inside the devpts filesystem.
It's not a matter of changing the user space; it's a matter of what
makes most sense inside the kernel.
Having an extra node with different permissions
That makes sense. But if Suka does that, then is creating the device
when the newns flag is specified ok with you, Alan?
Sounds a good basis yes.
___
Containers mailing list
[EMAIL PROTECTED]
H. Peter Anvin [EMAIL PROTECTED] wrote:
Alan Cox wrote:
auto-created, than supporting mknod(2) inside the devpts filesystem. It's
not a matter of changing the user space; it's a matter of what makes
most sense inside the kernel.
Having an extra node with different permissions suddenely
Quoting Cedric Le Goater ([EMAIL PROTECTED]):
H. Peter Anvin wrote:
Cedric Le Goater wrote:
I suggest newinstance, but newns works, too.
Could we also use this mount option to 'unshare' a new posix message
queue namespace ?
Sorry, I fail to see the connection with devpts here?
[EMAIL PROTECTED] wrote:
I had the new ptmx node only in 'multi-mount' mode initially. But if users
want the multi-mount semantics, /dev/ptmx must be a symlink. If its a symlink,
we break in the single-mount case (which does not have the ptmx node and
we don't support mknod in pts).
True,
[EMAIL PROTECTED] writes:
H. Peter Anvin [EMAIL PROTECTED] wrote:
Alan Cox wrote:
auto-created, than supporting mknod(2) inside the devpts filesystem. It's
not a matter of changing the user space; it's a matter of what makes
most sense inside the kernel.
Having an extra node with
Eric W. Biederman wrote:
I had the new ptmx node only in 'multi-mount' mode initially. But if users
want the multi-mount semantics, /dev/ptmx must be a symlink. If its a
symlink,
we break in the single-mount case (which does not have the ptmx node and
we don't support mknod in pts).
Then
Cedric Le Goater [EMAIL PROTECTED] writes:
H. Peter Anvin wrote:
Cedric Le Goater wrote:
I suggest newinstance, but newns works, too.
Could we also use this mount option to 'unshare' a new posix message
queue namespace ?
Sorry, I fail to see the connection with devpts here? Are you
H. Peter Anvin [EMAIL PROTECTED] wrote:
[EMAIL PROTECTED] wrote:
I had the new ptmx node only in 'multi-mount' mode initially. But if users
want the multi-mount semantics, /dev/ptmx must be a symlink. If its a
symlink,
we break in the single-mount case (which does not have the ptmx node and
[EMAIL PROTECTED] wrote:
Hmm, so, single and multi-mount don't coexist ? i.e some are multi-mounts
while others are single-mounts.
The way I looked at is that even if a distro has not yet updated the
startup script (fstab), we could use the multi-mount. Maybe a container
startup script
H. Peter Anvin [EMAIL PROTECTED] writes:
Eric W. Biederman wrote:
I had the new ptmx node only in 'multi-mount' mode initially. But if users
want the multi-mount semantics, /dev/ptmx must be a symlink. If its a
symlink,
we break in the single-mount case (which does not have the ptmx node and
Eric W. Biederman wrote:
The point of making it a bind is to address the concerns about
backwards compatibility in user space. In particular security
conscious applications and applications that perform sanity checks
are known to ignore things if they are the wrong type in the filesystem.
Quoting [EMAIL PROTECTED] ([EMAIL PROTECTED]):
H. Peter Anvin [EMAIL PROTECTED] wrote:
[EMAIL PROTECTED] wrote:
I had the new ptmx node only in 'multi-mount' mode initially. But if users
want the multi-mount semantics, /dev/ptmx must be a symlink. If its a
symlink,
we break in the
Eric W. Biederman wrote:
Cedric Le Goater [EMAIL PROTECTED] writes:
H. Peter Anvin wrote:
Cedric Le Goater wrote:
I suggest newinstance, but newns works, too.
Could we also use this mount option to 'unshare' a new posix message
queue namespace ?
Sorry, I fail to see the connection with
Now that dev_net() exists, the usefullness of them is even less. Also they're
a big problem in resolving circular header dependencies necessary for
NOTRACK-in-netns patch. See below.
Signed-off-by: Alexey Dobriyan [EMAIL PROTECTED]
---
include/linux/netfilter.h | 53
Conntrack (struct nf_conn) gets pointer to netns: -ct_net -- netns in which
it was created. It comes from netdevice.
-ct_net is write-once field.
Every conntrack in system has -ct_net initialized, no exceptions.
-ct_net doesn't pin netns: conntracks are recycled after timeouts and
pinning
Signed-off-by: Alexey Dobriyan [EMAIL PROTECTED]
---
net/ipv6/netfilter/ip6table_mangle.c | 31 +--
1 file changed, 21 insertions(+), 10 deletions(-)
--- a/net/ipv6/netfilter/ip6table_mangle.c
+++ b/net/ipv6/netfilter/ip6table_mangle.c
@@ -67,17 +67,29 @@ static
Quoting Andrew Morton ([EMAIL PROTECTED]):
(switched to email. Please respond via emailed reply-to-all, not via the
bugzilla web interface).
On Thu, 21 Aug 2008 05:58:52 -0700 (PDT) [EMAIL PROTECTED] wrote:
http://bugzilla.kernel.org/show_bug.cgi?id=11391
Summary:
Sysctls and proc files are stubbed to init_net's one. This is temporary.
Signed-off-by: Alexey Dobriyan [EMAIL PROTECTED]
---
include/net/netfilter/nf_conntrack.h |1 -
include/net/netns/conntrack.h |3 +++
Signed-off-by: Alexey Dobriyan [EMAIL PROTECTED]
---
net/ipv6/netfilter/ip6t_REJECT.c | 23 ---
1 file changed, 12 insertions(+), 11 deletions(-)
--- a/net/ipv6/netfilter/ip6t_REJECT.c
+++ b/net/ipv6/netfilter/ip6t_REJECT.c
@@ -35,7 +35,7 @@ MODULE_DESCRIPTION(Xtables:
One comment: #ifdefs around #include is necessary to overcome amazing compile
breakages in NOTRACK-in-netns patch (see below).
Signed-off-by: Alexey Dobriyan [EMAIL PROTECTED]
---
include/net/net_namespace.h |6 ++
include/net/netfilter/nf_conntrack_core.h |4 ++--
* make per-netns conntrack hash
Other solution is to add -ct_net pointer to tuplehashes and still has one
hash, I tried that it's ugly and requires more code deep down in protocol
modules et al.
* propagate netns pointer to where needed, e. g. to conntrack iterators.
Signed-off-by: Alexey
It's deducible as is, but it's also known at nf_conntrack_in() time allowing
to not branch and make code simpler later.
Signed-off-by: Alexey Dobriyan [EMAIL PROTECTED]
---
include/net/netfilter/nf_conntrack_core.h |2 +-
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c |4 ++--
Statistics part of stat/nf_conntrack is from init_net, this is temporary.
Signed-off-by: Alexey Dobriyan [EMAIL PROTECTED]
---
net/netfilter/nf_conntrack_standalone.c | 52 +++-
1 file changed, 31 insertions(+), 21 deletions(-)
---
Again, netns is deducible in every single -error hook, but we're going
to use it everywhere for nf_conntrack_checksum and stats, so pass it from
upper layer.
Signed-off-by: Alexey Dobriyan [EMAIL PROTECTED]
---
include/net/netfilter/nf_conntrack_l4proto.h |2 +-
Signed-off-by: Alexey Dobriyan [EMAIL PROTECTED]
---
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c | 14 +-
net/netfilter/nf_conntrack_standalone.c | 15 +--
2 files changed, 18 insertions(+), 11 deletions(-)
---
Signed-off-by: Alexey Dobriyan [EMAIL PROTECTED]
---
net/ipv4/netfilter/nf_nat_core.c |8
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/net/ipv4/netfilter/nf_nat_core.c
+++ b/net/ipv4/netfilter/nf_nat_core.c
@@ -588,6 +588,10 @@ static int __net_init nf_nat_net_init(struct
Signed-off-by: Alexey Dobriyan [EMAIL PROTECTED]
---
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c | 60 --
1 file changed, 40 insertions(+), 20 deletions(-)
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
+++
Add init_net checks to e. g. create kmem caches once.
Signed-off-by: Alexey Dobriyan [EMAIL PROTECTED]
---
net/netfilter/nf_conntrack_core.c | 111 +---
net/netfilter/nf_conntrack_expect.c | 27 +---
2 files changed, 81 insertions(+), 57 deletions(-)
Make untracked conntrack per-netns. Compare conntracks with relevant
untracked one.
The following code you'll start laughing at this code:
if (ct == ct-ct_net-ct.untracked)
...
let me remind you that -ct_net is set in only one place, and never
overwritten later.
All of
Signed-off-by: Alexey Dobriyan [EMAIL PROTECTED]
---
include/net/netfilter/nf_conntrack.h |1 -
include/net/netns/conntrack.h |1 +
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c |2 +-
net/ipv4/netfilter/nf_conntrack_proto_icmp.c |2 +-
Conntrack code will use it for
a) removing expectations and helpers when corresponding module is removed, and
b) removing conntracks when L3 protocol conntrack module is removed.
Signed-off-by: Alexey Dobriyan [EMAIL PROTECTED]
---
net/core/net_namespace.c |2 +-
1 file changed, 1
Signed-off-by: Alexey Dobriyan [EMAIL PROTECTED]
---
net/netfilter/nf_conntrack_pptp.c | 35 ++-
1 file changed, 26 insertions(+), 9 deletions(-)
--- a/net/netfilter/nf_conntrack_pptp.c
+++ b/net/netfilter/nf_conntrack_pptp.c
@@ -121,7 +121,7 @@ static void
Default value is the one at the end of module load (config or module option).
Signed-off-by: Alexey Dobriyan [EMAIL PROTECTED]
---
include/net/netfilter/nf_conntrack_acct.h | 10 ++--
include/net/netns/conntrack.h |2
net/netfilter/nf_conntrack_acct.c | 67
Signed-off-by: Alexey Dobriyan [EMAIL PROTECTED]
---
net/ipv4/netfilter/nf_nat_rule.c |7 +++
1 file changed, 3 insertions(+), 4 deletions(-)
--- a/net/ipv4/netfilter/nf_nat_rule.c
+++ b/net/ipv4/netfilter/nf_nat_rule.c
@@ -91,13 +91,13 @@ static unsigned int ipt_snat_target(struct
Signed-off-by: Alexey Dobriyan [EMAIL PROTECTED]
---
net/netfilter/nf_conntrack_helper.c | 41 +---
1 file changed, 24 insertions(+), 17 deletions(-)
--- a/net/netfilter/nf_conntrack_helper.c
+++ b/net/netfilter/nf_conntrack_helper.c
@@ -123,29 +123,18 @@ int
Signed-off-by: Alexey Dobriyan [EMAIL PROTECTED]
---
net/netfilter/nf_conntrack_sip.c |3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -775,7 +775,7 @@ static int set_expected_rtp_rtcp(struct sk_buff
* make keymap list per-netns
* do the same for lock while I'm at it (not strictly necessary)
* flush keymap at netns stop and module unload time.
Signed-off-by: Alexey Dobriyan [EMAIL PROTECTED]
---
include/linux/netfilter/nf_conntrack_proto_gre.h |2
net/netfilter/nf_conntrack_pptp.c
Signed-off-by: Alexey Dobriyan [EMAIL PROTECTED]
---
include/net/netns/ipv4.h |1
net/ipv4/netfilter/nf_nat_rule.c | 40 +++
2 files changed, 29 insertions(+), 12 deletions(-)
--- a/include/net/netns/ipv4.h
+++ b/include/net/netns/ipv4.h
@@
Signed-off-by: Alexey Dobriyan [EMAIL PROTECTED]
---
net/netfilter/nf_conntrack_h323_main.c |3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/net/netfilter/nf_conntrack_h323_main.c
+++ b/net/netfilter/nf_conntrack_h323_main.c
@@ -1218,7 +1218,7 @@ static struct
Signed-off-by: Alexey Dobriyan [EMAIL PROTECTED]
---
net/ipv4/netfilter/ipt_MASQUERADE.c |6 +-
1 file changed, 1 insertion(+), 5 deletions(-)
--- a/net/ipv4/netfilter/ipt_MASQUERADE.c
+++ b/net/ipv4/netfilter/ipt_MASQUERADE.c
@@ -120,16 +120,13 @@ static int masq_device_event(struct
Note, sysctl table is always duplicated, this is simpler, less special-cased,
less mistakes (and did one mistake in first version of this patch).
Signed-off-by: Alexey Dobriyan [EMAIL PROTECTED]
---
include/net/netns/conntrack.h |4 +
net/netfilter/nf_conntrack_standalone.c | 73
Signed-off-by: Alexey Dobriyan [EMAIL PROTECTED]
---
net/ipv4/netfilter/nf_nat_pptp.c |3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/net/ipv4/netfilter/nf_nat_pptp.c
+++ b/net/ipv4/netfilter/nf_nat_pptp.c
@@ -73,7 +73,7 @@ static void pptp_nat_expected(struct nf_conn *ct,
Signed-off-by: Alexey Dobriyan [EMAIL PROTECTED]
---
include/net/netns/ipv4.h |2 +
net/ipv4/netfilter/nf_nat_core.c | 71 +++
2 files changed, 45 insertions(+), 28 deletions(-)
--- a/include/net/netns/ipv4.h
+++ b/include/net/netns/ipv4.h
@@
Bridge as netdevice doesn't cross netns boundaries.
Bridge ports and bridge itself live in same netns.
Notifiers are fixed.
netns propagated from userspace socket.
Signed-off-by: Alexey Dobriyan [EMAIL PROTECTED]
---
net/bridge/br_device.c |3 ++-
net/bridge/br_if.c | 11
Signed-off-by: Alexey Dobriyan [EMAIL PROTECTED]
---
net/bridge/br.c | 22 --
net/bridge/br_if.c |4 ++--
net/bridge/br_private.h |2 +-
3 files changed, 19 insertions(+), 9 deletions(-)
--- a/net/bridge/br.c
+++ b/net/bridge/br.c
@@ -28,6 +28,10 @@
* make registered ebtables list per-netns
* for that, duplicate table at the very beginning of register,
we can't add one table to multiple lists.
* propagate netns from userspace socket down to iterators over list,
* register individual modules only in init_net for a minute.
Signed-off-by:
So far it wasn't needed, because modules were pinned just right to prevent
ebtables from
unloading when cleanup was necessary.
ebt_unregster_table() is called during netns stop now, so...
Signed-off-by: Alexey Dobriyan [EMAIL PROTECTED]
---
net/bridge/netfilter/ebtables.c |3 ++-
1 file
Signed-off-by: Alexey Dobriyan [EMAIL PROTECTED]
---
include/net/netns/bridge.h|1
net/bridge/netfilter/ebtable_broute.c | 36 +-
2 files changed, 28 insertions(+), 9 deletions(-)
--- a/include/net/netns/bridge.h
+++
Signed-off-by: Alexey Dobriyan [EMAIL PROTECTED]
---
include/net/netns/bridge.h|1
net/bridge/netfilter/ebtable_filter.c | 51 --
2 files changed, 38 insertions(+), 14 deletions(-)
--- a/include/net/netns/bridge.h
+++
Signed-off-by: Alexey Dobriyan [EMAIL PROTECTED]
---
include/net/netns/bridge.h |1
net/bridge/netfilter/ebtable_nat.c | 48 -
2 files changed, 33 insertions(+), 16 deletions(-)
--- a/include/net/netns/bridge.h
+++ b/include/net/netns/bridge.h
Signed-off-by: Alexey Dobriyan [EMAIL PROTECTED]
---
net/bridge/br_netfilter.c |3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -357,7 +357,7 @@ static int br_nf_pre_routing_finish(struct sk_buff *skb)
What is unconfirmed connection in one netns can very well be confirmed
in another.
Signed-off-by: Alexey Dobriyan [EMAIL PROTECTED]
---
include/net/netfilter/nf_conntrack_core.h |1 -
include/net/netns/conntrack.h |2 ++
net/netfilter/nf_conntrack_core.c |6
ip_route_me_harder() is called on output codepaths:
1) IPVS: honestly, not sure, looks like it can be called during forwarding
2) IPv4 REJECT: refreshing comment re skb-dst is valid and assigment of
skb-dst right before call :^)
3) NAT: called in LOCAL_OUT hook
4) iptable_mangle: LOCAL_OUT hook
* make registered ebtables list per-netns
* for that, duplicate table at the very beginning of register,
we can't add one table to multiple lists.
* propagate netns from userspace socket down to iterators over list,
* register individual modules only in init_net for a minute.
Signed-off-by:
Quoting Andrey Mirkin ([EMAIL PROTECTED]):
On Friday 01 August 2008 01:28 Serge E. Hallyn wrote:
Quoting Andrey Mirkin ([EMAIL PROTECTED]):
Hello Oren,
That is great, that you have proposed your version of
checkpointing/restart. In a few days I will send a patchset with OpenVZ
Hi Kamezawa-san,
KAMEZAWA Hiroyuki wrote:
On Wed, 20 Aug 2008 16:12:47 +0900 (JST)
Hirokazu Takahashi [EMAIL PROTECTED] wrote:
- I think this kind of thread application should control its I/O requests
inside of the application. I guess it seems to quite difficult to
determine which
92 matches
Mail list logo