Re: [PATCH V2] netlink: Add netns check on taps

2017-12-11 Thread Michal Kubecek
On Mon, Dec 11, 2017 at 11:58:37AM -0500, David Miller wrote: > From: Michal Kubecek > Date: Mon, 11 Dec 2017 17:13:50 +0100 > > > On Wed, Dec 06, 2017 at 03:57:14PM -0500, David Miller wrote: > >> From: Kevin Cernekee > >> Date: Wed, 6 Dec 2017 12:12:27 -0800 > >> > >> > Currently, a nlmon li

Re: [PATCH V2] netlink: Add netns check on taps

2017-12-11 Thread David Miller
From: Michal Kubecek Date: Mon, 11 Dec 2017 17:13:50 +0100 > On Wed, Dec 06, 2017 at 03:57:14PM -0500, David Miller wrote: >> From: Kevin Cernekee >> Date: Wed, 6 Dec 2017 12:12:27 -0800 >> >> > Currently, a nlmon link inside a child namespace can observe systemwide >> > netlink activity. Fil

Re: [PATCH V2] netlink: Add netns check on taps

2017-12-11 Thread Michal Kubecek
On Wed, Dec 06, 2017 at 03:57:14PM -0500, David Miller wrote: > From: Kevin Cernekee > Date: Wed, 6 Dec 2017 12:12:27 -0800 > > > Currently, a nlmon link inside a child namespace can observe systemwide > > netlink activity. Filter the traffic so that nlmon can only sniff > > netlink messages fr

Re: [PATCH V2] netlink: Add netns check on taps

2017-12-06 Thread David Miller
From: Kevin Cernekee Date: Wed, 6 Dec 2017 12:12:27 -0800 > Currently, a nlmon link inside a child namespace can observe systemwide > netlink activity. Filter the traffic so that nlmon can only sniff > netlink messages from its own netns. > > Test case: > > vpnns -- bash -c "ip link add n

[PATCH V2] netlink: Add netns check on taps

2017-12-06 Thread Kevin Cernekee
Currently, a nlmon link inside a child namespace can observe systemwide netlink activity. Filter the traffic so that nlmon can only sniff netlink messages from its own netns. Test case: vpnns -- bash -c "ip link add nlmon0 type nlmon; \ ip link set nlmon0 up; \