[PATCH next 03/14] inet netfilter: Prefer state->hook to ops->hooknum

;Eric W. Biederman" <ebied...@xmission.com> --- net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 4 ++-- net/ipv4/netfilter/nf_defrag_ipv4.c| 2 +- net/ipv4/netfilter/nf_nat_l3proto_ipv4.c | 14 +++--- net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c |

[PATCH next 05/14] x_tables: Pass struct net in xt_action_param

As xt_action_param lives on the stack this does not bloat any persistent data structures. This is a first step in making netfilter code that needs to know which network namespace it is executing in simpler. Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com> --- include

[PATCH next 02/14] inet netfilter: Remove hook from ip6t_do_table, arp_do_table, ipt_do_table

e the number of cachelines the callers touch. Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com> --- include/linux/netfilter_arp/arp_tables.h | 1 - include/linux/netfilter_ipv4/ip_tables.h | 1 - include/linux/netfilter_ipv6/ip6_tables.h | 1 - net/ipv4/netfilter/arp_tables.c

[PATCH next 07/14] nftables: Pass struct net in nft_pktinfo

nft_pktinfo is passed on the stack so this does not bloat any in core data structures. By centrally computing this information this makes maintence of the code simpler, and understading of the code easier. Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com> --- inclu

[PATCH next 04/14] nftables: kill nft_pktinfo.ops

ed-off-by: "Eric W. Biederman" <ebied...@xmission.com> --- include/net/netfilter/nf_tables.h | 9 - include/net/netfilter/nf_tables_ipv4.h| 3 +-- include/net/netfilter/nf_tables_ipv6.h| 3 +-- net/bridge/netfilter/nf_tables_bridge.c | 16 ++

[PATCH next 06/14] x_tables: Use par->net instead of computing from the passed net devices

Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com> --- net/bridge/netfilter/ebt_log.c | 2 +- net/bridge/netfilter/ebt_nflog.c | 2 +- net/ipv4/netfilter/ipt_SYNPROXY.c | 2 +- net/ipv4/netfilter/ipt_rpfilter.c | 5 ++--- net/ipv6/netfilter/ip6t_REJECT.c |

[PATCH next 11/14] ipvs: Read hooknum from state rather than ops->hooknum

From: Eric W Biederman <ebied...@xmission.com> This should be more cache efficient as state is more likely to be in core, and the netfilter core will stop passing in ops soon. Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com> --- net/netfilter/ipvs/ip_vs_core.c |

[PATCH next 10/14] nf_conntrack: Add a struct net parameter to l4_pkt_to_tuple

As gre does not have the srckey in the packet gre_pkt_to_tuple needs to perform a lookup in it's per network namespace tables. Pass in the proper network namespace to all pkt_to_tuple implementations to ensure gre (and any similar protocols) can get this right. Signed-off-by: "Eric W. Bied

[PATCH next 12/14] netfilter: Pass priv instead of nf_hook_ops to netfilter hooks

From: Eric W Biederman <ebied...@xmission.com> Only pass the void *priv parameter out of the nf_hook_ops. That is all any of the functions are interested now, and by limiting what is passed it becomes simpler to change implementation details. Signed-off-by: "Eric W. Bieder

[PATCH next 08/14] nftables: Use pkt->net instead of computing net from the passed net_devices

Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com> --- net/bridge/netfilter/nft_reject_bridge.c | 13 ++--- net/ipv6/netfilter/nft_reject_ipv6.c | 6 +++--- net/netfilter/nf_tables_core.c | 6 ++ net/netfilter/nft_log.c | 3 +-

[PATCH next 01/14] ebtables: Simplify the arguments to ebt_do_table

(the only caller without a nf_hook_state already available). This new nf_hook_state adds no new computations to ebt_broute, but does use a few more bytes of stack. Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com> --- include/linux/netfilter_bridge/ebtables.h | 6 ++

[PATCH next 09/14] net: Pass net to nf_dup_ipv4 and nf_dup_ipv6

Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com> --- include/net/netfilter/ipv4/nf_dup_ipv4.h | 2 +- include/net/netfilter/ipv6/nf_dup_ipv6.h | 2 +- net/ipv4/netfilter/nf_dup_ipv4.c | 23 --- net/ipv4/netfilter/nft_dup_ipv4.c|

Re: [PATCH net 0/2] lwtunnel: make it really work, for IPv4

Jiri Benc <jb...@redhat.com> writes: > On Wed, 23 Sep 2015 12:42:30 -0500, Eric W. Biederman wrote: [snip] >> So perhaps instead of: >> +if (arp->ar_op == htons(ARPOP_REQUEST) && skb_metadata_dst(skb)) >> +

[PATCH net] bridge: Only call /sbin/bridge-stp for the initial network namespace

which if /sbin/bridge-stp does not guard against unreasonable arguments or being invoked twice on the same network device could cause problems. Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com> --- net/bridge/br_stp_if.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletio

Re: [PATCH net] net:sysctl fix the confusing corner of tcp_mem

ed. > This patch fix the confusing corner and makes __do_proc_doulongvec_minmax > works the same as __do_proc_dointvec Nacked-by: "Eric W. Biederman" <ebied...@xmission.com> Except for possibly breaking your muscle memory this does not explain why this is a problem. Further you ar

Re: [PATCH net-next 0/4] batch calls to fib_flush and arp_ifdown

Salam Noureddine writes: > fib_flush walks the whole fib in a net_namespace and is called for > each net_device being closed or unregistered. This can be very expensive > when dealing with 100k or more routes in the fib and removal of a lot > of interfaces. These four

Re: nf_unregister_net_hook: hook not found!

Pablo Neira Ayuso writes: > On Mon, Dec 28, 2015 at 09:05:03PM +0100, Sander Eikelenboom wrote: >> Hi, >> >> Running a 4.4.0-rc6 kernel i encountered the warning below. > > Cc'ing Eric Biederman. > > @Sander, could you provide a way to reproduce this? I am on vacation

Re: [PATCH net] bridge: Only call /sbin/bridge-stp for the initial network namespace

Stephen Hemminger <step...@networkplumber.org> writes: > On Mon, 30 Nov 2015 15:38:15 -0600 > ebied...@xmission.com (Eric W. Biederman) wrote: > >> >> There is no defined mechanism to pass network namespace information >> into /sbin/bridge-stp therefore d

Re: [RFC PATCH 0/4] Make inotify instance/watches be accounted per userns

Nikolay Borisov <ker...@kyup.com> writes: > On 06/02/2016 07:58 PM, Eric W. Biederman wrote: >> >> Nikolay please see my question for you at the end. [snip] >> All of that said there is definitely a practical question that needs to >> be asked. Nikolay ho

Re: [RFC PATCH 0/4] Make inotify instance/watches be accounted per userns

Nikolay Borisov <ker...@kyup.com> writes: > On 06/03/2016 11:41 PM, Eric W. Biederman wrote: >> Nikolay Borisov <ker...@kyup.com> writes: >> >>> On 06/02/2016 07:58 PM, Eric W. Biederman wrote: >>>> >>>> Nikolay please see my q

Re: [RFC PATCH 0/4] Make inotify instance/watches be accounted per userns

Nikolay Borisov <ker...@kyup.com> writes: > On 06/01/2016 07:00 PM, Eric W. Biederman wrote: >> Cc'd the containers list. >> >> >> Nikolay Borisov <ker...@kyup.com> writes: >> >>> Currently the inotify instances/watches are being a

Re: [RFC PATCH 0/4] Make inotify instance/watches be accounted per userns

Nikolay please see my question for you at the end. Jan Kara <j...@suse.cz> writes: > On Wed 01-06-16 11:00:06, Eric W. Biederman wrote: >> Cc'd the containers list. >> >> Nikolay Borisov <ker...@kyup.com> writes: >> >> > Currently t

Re: [RFC PATCH 0/4] Make inotify instance/watches be accounted per userns

Cc'd the containers list. Nikolay Borisov writes: > Currently the inotify instances/watches are being accounted in the > user_struct structure. This means that in setups where multiple > users in unprivileged containers map to the same underlying > real user (e.g.

Re: rstpd implementation

Phil writes: > Hi, > > When looking for an RSTP daemon I found Stephen Hemminger's > git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/rstp.git > > with it's last commit from October 2011.

Re: [PATCH net] sock_diag: invert socket destroy broadcast check

Willem de Bruijn writes: > From: Willem de Bruijn > > Socket destruction is only broadcast for a socket sk if a diag > listener is registered and sk is not a kernel socket. > > Invert the test to not even check for listeners for kernel

Re: [PATCH net-next 2/2] mpls: allow TTL propagation to/from IP packets to be configured

Robert Shearman writes: > It is sometimes desirable to present an MPLS transport network as a > single hop to traffic transiting it because it prevents confusion when > diagnosing failures. An example of where confusion can be generated is > when addresses used in the

Re: [PATCH] openvswitch: allow management from inside user namespaces

Tycho Andersen writes: > Operations with the GENL_ADMIN_PERM flag fail permissions checks because > this flag means we call netlink_capable, which uses the init user ns. > > Instead, let's do permissions checks in each function, but use the netlink > socket's user

Re: [PATCH] ipv4: in new netns initialize sysctls in net.ipv4.conf.* with defaults

David Miller writes: > From: Konstantin Khlebnikov > Date: Sun, 21 Feb 2016 10:11:02 +0300 > >> Currently initial net.ipv4.conf.all.* and net.ipv4.conf.default.* are >> copied from init network namespace because static structures are used >> for

Re: [PATCH 0/4] Namespacify inet_peer_* sysctl knobs

Nikolay Borisov writes: > This series make the inet_peer ttl sysctls to be namespace aware. > > Patch 1 adds a namespace association to the inet_peer_base struct, > which in turn is used to make the sysctls namespace aware. The > rest of the patches are straightforward. At a

Re: [PATCH] ipv4: in new netns initialize sysctls in net.ipv4.conf.* with defaults

gt; from any netns. This patch makes private copy also for init netns if > network namespaces are enabled. Other sysctls in net.ipv4 and net.ipv6 > already initialized with default values at namespace creation. Acked-by: "Eric W. Biederman" <ebied...@xmission.com> Assuming that t

Re: IPv4/IPv6 sysctl defaults in new namespace

Konstantin Khlebnikov writes: > IPv6 initialized with default. That's ok. > IPv4 makes a copy from init_net. Looks like a bug, here > v2.6.24-2577-g752d14dc6aa9 > > root@zurg:~# sysctl net.ipv4.conf.all.forwarding=0 > net.ipv6.conf.all.forwarding=0 >

Re: [PATCH net-next 1/3] lwtunnel: autoload of lwt modules

Robert Shearman writes: > The lwt implementations using net devices can autoload using the > existing mechanism using IFLA_INFO_KIND. However, there's no mechanism > that lwt modules not using net devices can use. > > Therefore, add the ability to autoload modules

Re: [linux-kernel] dead loop for rtnl_trylock

Copied netdev as that is the more appropriate mailling list for questions like this. Xianpeng Zhao writes: > Hi Group, > > I have find a problem in my system, I found there have a chance that > cause the system enter dead loop when try to get the rtnl lock in the

Re: [PATCH net-next] macvlan: fix failure during registration v2

Francesco Ruggeri <frugg...@arista.com> writes: > On Thu, Apr 21, 2016 at 10:44 AM, Eric W. Biederman > <ebied...@xmission.com> wrote: > < >>> diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c >>> index 95394ed..e770221 100644 >>>

Re: [PATCH net-next] macvtap: check minor when unregistering

call_netdevice_notifiers(NETDEV_UNREGISTER, dev); > macvtap_device_event(NETDEV_UNREGISTER) > > Acked-by: "Eric W. Biederman" <ebied...@xmission.com> > Signed-off-by: Francesco Ruggeri <frugg...@arista.com> > --- > drivers/net/macvtap.c | 3 +++ > 1 file c

Re: [PATCH net-next] macvlan: fix failure during registration v3

_newlink. > A similar problem may exist in the ipvlan driver. > This patch consolidates modifications to port->count into macvlan_init > and macvlan_uninit (thanks to Eric Biederman for suggesting this approach). > > v3: remove macvtap specific bits. Acked-by: "Eric W. Bied

Re: [PATCH net-next] macvtap: add namespace support to the sysfs device class

Marc Angel writes: > When creating macvtaps that are expected to have the same ifindex > in different network namespaces, only the first one will succeed. > The others will fail with a sysfs_warn_dup warning due to them trying > to create the following sysfs link (with 'NN' the

Re: [PATCH net-next] macvlan: fix failure during registration v2

Francesco Ruggeri writes: > If macvlan_common_newlink fails in register_netdevice after macvlan_init > then it decrements port->count twice, first in macvlan_uninit (from > register_netdevice or rollback_registered) and then again in > macvlan_common_newlink. > A similar

[PATCH net] bpf: Use mount_nodev not mount_ns to mount the bpf filesystem

es Frederic Sowa <han...@stressinduktion.org> Acked-by: Daniel Borkmann <dan...@iogearbox.net> Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com> --- kernel/bpf/inode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/bpf/inode.c b/kernel/

Re: [RFC][PATCH net] bpf: Use mount_nodev not mount_ns to mount the bpf filesystem

Hannes Frederic Sowa writes: > On 18.05.2016 22:43, Daniel Borkmann wrote: >> Eric, please send the patch officially and feel free to add my Ack. Done. >> Given >> the circumstances, moving to mount_nodev() seems the best way forward. To >> also address above

Re: [PATCH nf V2] netfilter: fix oops in nfqueue during netns error unwinding

Pablo Neira Ayuso writes: > On Wed, May 11, 2016 at 05:41:13PM +0200, Florian Westphal wrote: >> diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c >> index 5baa8e2..9722819 100644 >> --- a/net/netfilter/nf_queue.c >> +++ b/net/netfilter/nf_queue.c >> @@ -102,6

Re: [PATCH nf V2] netfilter: fix oops in nfqueue during netns error unwinding

Florian Westphal <f...@strlen.de> writes: > Eric W. Biederman <ebied...@xmission.com> wrote: >> Florian Westphal <f...@strlen.de> writes: >> >> > Eric W. Biederman <ebied...@xmission.com> wrote: >> >> Florian could you test and ve

Re: [PATCH nf V2] netfilter: fix oops in nfqueue during netns error unwinding

Florian Westphal <f...@strlen.de> writes: > Eric W. Biederman <ebied...@xmission.com> wrote: >> > AFAICS no other callers do something similar, but yes, >> > we'd need this all over the place if there are others. >> > >> > Maybe we need a sa

[PATCH] nf_queue: Make the queue_handler pernet

: Florian Westphal <f...@strlen.de> Acked-by: Florian Westphal <f...@strlen.de> Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com> --- include/net/netfilter/nf_queue.h | 4 ++-- include/net/netns/netfilter.h| 2 ++ net/netfilter/nf_queue.c | 17 ++

Re: [PATCH nf V2] netfilter: fix oops in nfqueue during netns error unwinding

Florian Westphal <f...@strlen.de> writes: > Eric W. Biederman <ebied...@xmission.com> wrote: >> Florian could you test and verify this patch fixes your issues? > > Yes, this seems to work. > > Pablo, I'm fine with this patch going into -nf/stable but I do not thin

Re: [PATCH nf V2] netfilter: fix oops in nfqueue during netns error unwinding

could have similar issues. Eric From: "Eric W. Biederman" <ebied...@xmission.com> Date: Fri, 13 May 2016 15:26:03 -0500 Subject: [PATCH] nf_queue: Make the queue_handler pernet Florian Weber reported: > Under full load (unshare() in loop -> OOM conditions) we can >

Re: [RFC][PATCH net] bpf: Use mount_nodev not mount_ns to mount the bpf filesystem

Hannes Frederic Sowa <han...@stressinduktion.org> writes: > On 18.05.2016 01:12, Eric W. Biederman wrote: >> >> While reviewing the filesystems that set FS_USERNS_MOUNT I spotted the >> bpf filesystem. Looking at the code I saw a broken usage of mount_ns >&

Re: [PATCH nf V2] netfilter: fix oops in nfqueue during netns error unwinding

Florian Westphal <f...@strlen.de> writes: > Eric W. Biederman <ebied...@xmission.com> wrote: >> > On Wed, May 11, 2016 at 05:41:13PM +0200, Florian Westphal wrote: >> >> diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c >> >> index 5

Re: [PATCH net-next] macvlan: fix failure during registration

Francesco Ruggeri writes: > Resending, did not include netdev the first time ... > > If a macvlan/macvtap creation fails in register_netdevice in > call_netdevice_notifiers(NETDEV_REGISTER) then while cleaning things up in > rollback_registered_many it invokes

Re: [PATCH net-next] macvlan: fix failure during registration

Francesco Ruggeri <frugg...@arista.com> writes: > On Mon, Apr 18, 2016 at 11:48 AM, Eric W. Biederman > <ebied...@xmission.com> wrote: >> >> These interactions all seem a little bit funny. At a quick skim it >> would make more sense to increment the port coun

Re: [PATCH v2 02/10] userns: Add per user namespace sysctls.

"Eric W. Biederman" <ebied...@xmission.com> writes: > Limit per userns sysctls to only be opened for write by a holder > of CAP_SYS_RESOURCE. > > Add all of the necessary boilerplate for having per user namespace > sysctls. > @@ -141,6 +215,7 @@ void free

Re: [PATCH v2 09/10] netns: Add a limit on the number of net namespaces

Andrei Vagin <ava...@gmail.com> writes: > On Thu, Jul 21, 2016 at 9:40 AM, Eric W. Biederman <ebied...@xmission.com> > wrote: >> index 2c2eb1b629b1..a489f192d619 100644 >> --- a/net/core/net_namespace.c >> +++ b/net/core/net_namespace.c >> @@ -266,6 +266

Re: [PATCH v2 02/10] userns: Add per user namespace sysctls.

David Miller <da...@davemloft.net> writes: > From: ebied...@xmission.com (Eric W. Biederman) > Date: Mon, 25 Jul 2016 19:44:50 -0500 > >> User namespaces have enabled unprivileged users access to a lot more >> data structures and so to catch programs that go crazy we ne

Re: [PATCH v2 02/10] userns: Add per user namespace sysctls.

David Miller <da...@davemloft.net> writes: > From: ebied...@xmission.com (Eric W. Biederman) > Date: Mon, 25 Jul 2016 19:02:01 -0500 > >>Which means this change gets has to wait for next cycle. > > Ok. For clarity I intend to merge these changes th

Re: iproute2 mpls max labels

Roopa Prabhu writes: > On 7/16/16, 11:24 AM, Magnus Bergroth wrote: >> Wanted to use more than the default maximum of 8 mpls labels. Max labels >> seems to be hardcode to 8 in two places. >> >> --- iproute2-4.6.0/lib/utils.c2016-05-18 20:56:02.0 +0200 >>

Re: [PATCH v2 00/10] userns: sysctl limits for namespaces

Colin Walters <walt...@verbum.org> writes: > On Thu, Jul 21, 2016, at 12:39 PM, Eric W. Biederman wrote: >> >> This patchset addresses two use cases: >> - Implement a sane upper bound on the number of namespaces. >> - Provide a way for sandboxes to limit the at

Re: iproute2 mpls max labels

Roopa Prabhu <ro...@cumulusnetworks.com> writes: > On 7/21/16, 1:00 PM, Eric W. Biederman wrote: >> Roopa Prabhu <ro...@cumulusnetworks.com> writes: >> >>> On 7/16/16, 11:24 AM, Magnus Bergroth wrote: >>>> Wanted to use more than the default

Re: iproute2 mpls max labels

Magnus Bergroth <bergr...@nordu.net> writes: >> Eric W. Biederman <mailto:ebied...@xmission.com> >> a) I just looked and the kernel netlink protocol does not have a limit. >>The kernel does have a limit but the netlink protocol does not so >>th

Re: [PATCH v2 00/10] userns: sysctl limits for namespaces

Kees Cook <keesc...@chromium.org> writes: > On Fri, Jul 22, 2016 at 11:45 AM, Eric W. Biederman > <ebied...@xmission.com> wrote: >> Colin Walters <walt...@verbum.org> writes: >> >>> On Thu, Jul 21, 2016, at 12:39 PM, Eric W. Biederman wrote: &g

Re: [PATCH v2 00/10] userns: sysctl limits for namespaces

"Michael Kerrisk (man-pages)" <mtk.manpa...@gmail.com> writes: > Hello Eric, > > I realized I had a question after the last mail. > > On 07/21/2016 06:39 PM, Eric W. Biederman wrote: >> >> This patchset addresses two use cases: >> - Impleme

Re: [PATCH v2 00/10] userns: sysctl limits for namespaces

"Michael Kerrisk (man-pages)" <mtk.manpa...@gmail.com> writes: > Hello Eric, > > On 07/21/2016 06:39 PM, Eric W. Biederman wrote: >> >> This patchset addresses two use cases: >> - Implement a sane upper bound on the number of namespaces. >>

Re: [PATCH RESEND nf] netfilter: avoid a race between nf_register_hook() and cleanup_net()

; nf_{,un}register_hook() (also) by net_mutex. There is already a > precendens for this in rtnl_link_unregister() which addresses similar > race. So this analysis of a problem appears to be spot on. Reviewed-by: "Eric W. Biederman" <ebied...@xmission.com> I really really wan

Re: [PATCH 1115/1285] Replace numeric parameter like 0444 with macro

Baole Ni writes: > I find that the developers often just specified the numeric value > when calling a macro which is defined with a parameter for access permission. > As we know, these numeric value for access permission have had the > corresponding macro, > and that using

[PATCH v2 04/10] userns: Generalize the user namespace count into ucount

The same kind of recursive sane default limit and policy countrol that has been implemented for the user namespace is desirable for the other namespaces, so generalize the user namespace refernce count into a ucount. Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com> --

[PATCH v2 07/10] ipcns: Add a limit on the number of ipc namespaces

Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com> --- include/linux/user_namespace.h | 1 + ipc/namespace.c| 42 +++--- kernel/user_namespace.c| 1 + 3 files changed, 33 insertions(+), 11 deletions(-) diff

[PATCH v2 09/10] netns: Add a limit on the number of net namespaces

Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com> --- include/linux/user_namespace.h | 1 + kernel/user_namespace.c| 1 + net/core/net_namespace.c | 15 +++ 3 files changed, 17 insertions(+) diff --git a/include/linux/user_namespace.h

[PATCH v2 03/10] userns: Add a limit on the number of user namespaces

Export the export the maximum number of user namespaces as /proc/sys/userns/max_user_namespaces. Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com> --- include/linux/user_namespace.h | 2 ++ kernel/fork.c | 2 ++ kernel/user_namespa

[PATCH v2 00/10] userns: sysctl limits for namespaces

. These patches are also available at: git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace.git for-testing Changes since v1: - Compilation issues with !CONFIG_SYSCTL and !CONFIG_USER_NS have been addressed - Comment improvements. - A few names have been changed to be clearer. Eric W

[PATCH v2 01/10] sysctl: Stop implicitly passing current into sysctl_table_root.lookup

-by: Serge Hallyn <se...@hallyn.com> Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com> --- fs/proc/proc_sysctl.c | 14 +++--- include/linux/sysctl.h | 3 +-- net/sysctl_net.c | 4 ++-- 3 files changed, 10 insertions(+), 11 deletions(-) diff --git a/f

[PATCH v2 02/10] userns: Add per user namespace sysctls.

Limit per userns sysctls to only be opened for write by a holder of CAP_SYS_RESOURCE. Add all of the necessary boilerplate for having per user namespace sysctls. Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com> --- include/linux/user_namespace.h | 4 ++ kernel/

[PATCH v2 05/10] pidns: Add a limit on the number of pid namespaces

Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com> --- include/linux/user_namespace.h | 1 + kernel/pid_namespace.c | 22 ++ kernel/user_namespace.c| 1 + 3 files changed, 20 insertions(+), 4 deletions(-) diff --git a/include/linux/us

[PATCH v2 06/10] utsns: Add a limit on the number of uts namespaces

Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com> --- include/linux/user_namespace.h | 1 + kernel/user_namespace.c| 1 + kernel/utsname.c | 31 ++- 3 files changed, 28 insertions(+), 5 deletions(-) diff --git

[PATCH v2 10/10] mntns: Add a limit on the number of mount namespaces.

Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com> --- fs/namespace.c | 19 ++- include/linux/user_namespace.h | 1 + kernel/user_namespace.c| 1 + 3 files changed, 20 insertions(+), 1 deletion(-) diff --git a/fs/namespace.c

[PATCH v2 08/10] cgroupns: Add a limit on the number of cgroup namespaces

Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com> --- include/linux/user_namespace.h | 1 + kernel/cgroup.c| 15 +++ kernel/user_namespace.c| 1 + 3 files changed, 17 insertions(+) diff --git a/include/linux/user_namespace.h

Re: [iproute PATCH 0/2] Netns performance improvements

Rick Jones writes: > On 07/07/2016 08:48 AM, Phil Sutter wrote: >> On Thu, Jul 07, 2016 at 02:59:48PM +0200, Nicolas Dichtel wrote: >>> Le 07/07/2016 13:17, Phil Sutter a écrit : >>> [snip] The issue came up during OpenStack Neutron testing, see this ticket for

Re: [iproute PATCHv2 0/2] Netns performance improvements

Stephen Hemminger writes: > On Tue, 5 Jul 2016 16:51:18 +0200 > Phil Sutter wrote: > >> Stress-testing OpenStack Neutron revealed poor performance of 'ip netns' >> when dealing with a high amount of namespaces. The cause of this lies in >> the

Re: [iproute PATCH 0/2] Netns performance improvements

that don't contain and those 100 mount namespaces that share with each other are your real concern. But I don't know. > On Tue, Jul 05, 2016 at 09:44:00AM -0500, Eric W. Biederman wrote: >> Phil Sutter <p...@nwl.cc> writes: >> >> > Stress-testing OpenStack Neutron revealed

Re: [iproute PATCH 0/2] Netns performance improvements

Rick Jones <rick.jon...@hpe.com> writes: > On 07/07/2016 09:34 AM, Eric W. Biederman wrote: >> Rick Jones <rick.jon...@hpe.com> writes: >>> 300 routers is far from the upper limit/goal. Back in HP Public >>> Cloud, we were running as many as 700 routers

Re: [iproute PATCH 0/2] Netns performance improvements

Phil Sutter writes: > Stress-testing OpenStack Neutron revealed poor performance of 'ip netns' > when dealing with a high amount of namespaces. The cause of this lies in > the combination of how iproute2 mounts NETNS_RUN_DIR and the netns files > therein and the fact that systemd

Re: [PATCH] net: make net namespace sysctls belong to container's owner

ause we do not > need to fudge permissions anymore for the container's owner since it now > owns the objects in question. Acked-by: "Eric W. Biederman" <ebied...@xmission.com> Overall this seems reasonable. However I am not a fan of your error handling. > Signed-off-

Re: [PATCH v2 00/10] userns: sysctl limits for namespaces

I won't have any more time for this until I return from vacation at the end of the month but after a little bit of thought I think I have fixed all of the bugs (except arguably the return value). I have further tweaked these and made the limits per user. Because it occured to me that if the

Re: [PATCH] net: make net namespace sysctls belong to container's owner

Dmitry Torokhov <dmitry.torok...@gmail.com> writes: > On Mon, Aug 8, 2016 at 2:08 PM, Eric W. Biederman <ebied...@xmission.com> > wrote: >> Dmitry Torokhov <dmitry.torok...@gmail.com> writes: >> >>> If net namespace is attached to a user namespace let

Re: [PATCH net] bpf: expose netns inode to bpf programs

Andy Lutomirski <l...@amacapital.net> writes: > On Thu, Feb 2, 2017 at 8:33 PM, Eric W. Biederman <ebied...@xmission.com> > wrote: >> Alexei Starovoitov <a...@fb.com> writes: >> >>> On 1/26/17 11:07 AM, Andy Lutomirski wrote: >>>> On Thu,

Re: [PATCH net] bpf: expose netns inode to bpf programs

Alexei Starovoitov writes: > On 1/26/17 11:07 AM, Andy Lutomirski wrote: >> On Thu, Jan 26, 2017 at 10:32 AM, Alexei Starovoitov wrote: >>> On 1/26/17 10:12 AM, Andy Lutomirski wrote: On Thu, Jan 26, 2017 at 9:46 AM, Alexei Starovoitov wrote:

Re: [PATCH net-next] mpls: allow TTL propagation to/from IP packets to be configured

Robert Shearman <rshea...@brocade.com> writes: > On 31/01/17 00:17, Eric W. Biederman wrote: >> Robert Shearman <rshea...@brocade.com> writes: >> >>> It is sometimes desirable to present an MPLS transport network as a >>> single hop to traffic tra

Re: [PATCH net] bpf: expose netns inode to bpf programs

Alexei Starovoitov <alexei.starovoi...@gmail.com> writes: > On Fri, Feb 03, 2017 at 05:33:45PM +1300, Eric W. Biederman wrote: >> >> The point is that we can make the inode number stable across migration >> and the user space API for namespaces has been designed with

Re: [PATCH net-next] mpls: allow TTL propagation to/from IP packets to be configured

Robert Shearman writes: > It is sometimes desirable to present an MPLS transport network as a > single hop to traffic transiting it because it prevents confusion when > diagnosing failures. An example of where confusion can be generated is > when addresses used in the

Re: [PATCH v2] bpf: Restrict cgroup bpf hooks to the init netns

Andy Lutomirski writes: > On Tue, Jan 24, 2017 at 4:11 PM, Alexei Starovoitov > wrote: >> On Tue, Jan 24, 2017 at 01:24:54PM -0800, Andy Lutomirski wrote: >>> On Tue, Jan 24, 2017 at 12:29 PM, David Ahern >>> wrote:

Re: [PATCH net] bpf: expose netns inode to bpf programs

all non-init netns the program can do: > if (sk->type == SOCK_RAW && sk->netns_inum != 0xf075) > return 0; > where 0xf075 inode comes from /proc/pid/ns/net > > Similarly TC cls_bpf/act_bpf and socket filters can do > if (skb->netns_inum == expected_inode)

Re: [PATCH v4 net] bpf: add bpf_sk_netns_id() helper

David Ahern <d...@cumulusnetworks.com> writes: > On 2/15/17 8:25 PM, Andy Lutomirski wrote: >> On Wed, Feb 15, 2017 at 7:18 PM, David Ahern <d...@cumulusnetworks.com> >> wrote: >>> On 2/15/17 8:08 PM, Eric W. Biederman wrote: >>>> David Ahern <d

Re: [PATCH net v5] bpf: add helper to compare network namespaces

David Ahern writes: > In cases where bpf programs are looking at sockets and packets > that belong to different netns, it could be useful to compare the > network namespace of the socket or packet > > Introduce bpf_sk_netns_cmp and bpf_skb_netns_cmp helpers to compare >

Re: [PATCH v4 net] bpf: add bpf_sk_netns_id() helper

David Ahern <d...@cumulusnetworks.com> writes: > On 2/14/17 12:21 AM, Eric W. Biederman wrote: >>> in cases where bpf programs are looking at sockets and packets >>> that belong to different netns, it could be useful to get an id >>> that uniquely iden

Re: [PATCH net v5] bpf: add helper to compare network namespaces

David Ahern <d...@cumulusnetworks.com> writes: > On 2/19/17 9:17 PM, Eric W. Biederman wrote: >>>> @@ -2597,6 +2598,39 @@ static const struct bpf_func_proto >>>> bpf_xdp_event_output_proto = { >>>>.arg5_type = ARG_CONST_STACK_SIZE, >

Re: [PATCH net v5] bpf: add helper to compare network namespaces

Daniel Borkmann writes: > On 02/16/2017 02:29 AM, David Ahern wrote: >> In cases where bpf programs are looking at sockets and packets >> that belong to different netns, it could be useful to compare the >> network namespace of the socket or packet >> >> Introduce

Re: Fw: [Bug 193911] New: net_prio.ifpriomap is not aware of the network namespace, and discloses all network interface

Tejun Heo writes: > Hello, > > On Sun, Feb 05, 2017 at 11:05:36PM -0800, Cong Wang wrote: >> > To be more specific, the read operation of net_prio.ifpriomap is handled >> > by the >> > function read_priomap. Tracing from this function, we can find it invokes >> >

Re: [PATCH v4 net] bpf: add bpf_sk_netns_id() helper

Alexei Starovoitov writes: > in cases where bpf programs are looking at sockets and packets > that belong to different netns, it could be useful to get an id > that uniquely identify a netns within the whole system. It could be useful but there is no unique namespace id. >

Re: fs, net: deadlock between bind/splice on af_unix

Al Viro writes: > On Thu, Dec 08, 2016 at 10:32:00PM -0800, Cong Wang wrote: > >> > Why do we do autobind there, anyway, and why is it conditional on >> > SOCK_PASSCRED? Note that e.g. for SOCK_STREAM we can bloody well get >> > to sending stuff without autobind ever

Re: [PATCH 0/5] Make /sys/class/net per net namespace objects belong to container

Dmitry Torokhov <dmitry.torok...@gmail.com> writes: > On Mon, Aug 29, 2016 at 5:38 AM, Eric W. Biederman > <ebied...@xmission.com> wrote: >> David Miller <da...@davemloft.net> writes: >> >>> From: Dmitry Torokhov <dmitry.torok...@gmai

Re: [PATCH] netns: move {inc,dec}_net_namespaces into #ifdef

Arnd Bergmann writes: > With the newly enforced limit on the number of namespaces, > we get a build warning if CONFIG_NETNS is disabled: > > net/core/net_namespace.c:273:13: error: 'dec_net_namespaces' defined but not > used [-Werror=unused-function] >

Re: [PATCH 0/5] Make /sys/class/net per net namespace objects belong to container

David Miller writes: > From: Dmitry Torokhov > Date: Tue, 16 Aug 2016 15:33:10 -0700 > >> There are objects in /sys hierarchy (/sys/class/net/) that logically belong >> to a namespace/container. Unfortunately all sysfs objects start their life >>

<    5   6   7   8   9   10   11   12   >