[Devel] [PATCH rh7] netfilter: Allow xt_owner in any user namespace

2017-10-13 Thread Andrei Vagin
From: "Eric W. Biederman" ML: 9847371a84b0be330f4bc4aaa98904101ee8573d https://jira.sw.ru/browse/PSBM-69409? Making this work is a little tricky as it really isn't kosher to change the xt_owner_match_info in a check function. Without changing xt_owner_match_info we need to know the user namespa

Re: [Devel] [PATCH rh7] netfilter: Allow xt_owner in any user namespace

2017-10-16 Thread Konstantin Khorenko
Stas, please review the patch. Andrey, why do we need to support deeper user namespaces at all? Someone app tries to create a new userns inside a vz7 CT and use ipt_owner inside it? -- Best regards, Konstantin Khorenko, Virtuozzo Linux Kernel Team On 10/14/2017 02:20 AM, Andrei Vagin wrote:

Re: [Devel] [PATCH rh7] netfilter: Allow xt_owner in any user namespace

2017-10-16 Thread Stanislav Kinsburskiy
Well, patch looks ok. But shouldn't all the ve_init_user_ns() replaced by the par->net? 14.10.2017 01:20, Andrei Vagin пишет: > From: "Eric W. Biederman" > > ML: 9847371a84b0be330f4bc4aaa98904101ee8573d > https://jira.sw.ru/browse/PSBM-69409? > > Making this work is a little tricky as it really

Re: [Devel] [PATCH rh7] netfilter: Allow xt_owner in any user namespace

2017-10-16 Thread Andrei Vagin
On Mon, Oct 16, 2017 at 01:33:12PM +0300, Konstantin Khorenko wrote: > Stas, please review the patch. > > Andrey, why do we need to support deeper user namespaces at all? > Someone app tries to create a new userns inside a vz7 CT and use ipt_owner > inside it? The kernel grabs userns when we sen

Re: [Devel] [PATCH rh7] netfilter: Allow xt_owner in any user namespace

2017-10-16 Thread Andrei Vagin
On Mon, Oct 16, 2017 at 05:50:38PM +0200, Stanislav Kinsburskiy wrote: > Well, patch looks ok. > But shouldn't all the ve_init_user_ns() replaced by the par->net? This patch does this. > > 14.10.2017 01:20, Andrei Vagin пишет: > > From: "Eric W. Biederman" > > > > ML: 9847371a84b0be330f4bc4aaa

Re: [Devel] [PATCH rh7] netfilter: Allow xt_owner in any user namespace

2017-10-17 Thread Stanislav Kinsburskiy
17.10.2017 08:53, Andrei Vagin пишет: > On Mon, Oct 16, 2017 at 05:50:38PM +0200, Stanislav Kinsburskiy wrote: >> Well, patch looks ok. >> But shouldn't all the ve_init_user_ns() replaced by the par->net? > > This patch does this. > Yes, but not everywhere. Say, there are owner_mt_ve0 and owne

Re: [Devel] [PATCH rh7] netfilter: Allow xt_owner in any user namespace

2017-10-17 Thread Konstantin Khorenko
On 10/17/2017 12:08 PM, Stanislav Kinsburskiy wrote: 17.10.2017 08:53, Andrei Vagin пишет: On Mon, Oct 16, 2017 at 05:50:38PM +0200, Stanislav Kinsburskiy wrote: Well, patch looks ok. But shouldn't all the ve_init_user_ns() replaced by the par->net? This patch does this. Yes, but not eve