Ben Hutchings, on mar. 19 déc. 2017 03:37:03 +0000, wrote: > On Mon, 2017-12-18 at 01:44 +0100, Samuel Thibault wrote: > > Ben Hutchings, on lun. 18 déc. 2017 00:37:48 +0000, wrote: > > > On Mon, 2017-12-18 at 00:12 +0100, Samuel Thibault wrote: > > > > It can be used as a maintained user-land TCP/IP stack. > > > > > > Why would this be useful for Debian systems, which already have a much > > > better performing TCP/IP stack? > > > > But the kernel-provided stack can't be manipulated by userland for > > e.g. VPNs, ppp, etc. without having to be root. > [...] > > Not quite. On Linux you need CAP_NET_ADMIN in some user namespace.
Which is not so much more available. > (In Debian this feature is guarded by a sysctl that's off by default, > as a security mitigation.) And thus is not generally available in installed systems. > Even if that's disabled, a privileged container manager can create a > new user namespace and start a container within that namespace with the > CAP_NET_ADMIN capability. Which doesn't usually happen on installed systems. I won't event try, I'm sure admins of my work clusters will refuse to enable this, for fear of the security consequences. > To use lwip you would presumably need raw access to a network device, > which also requires a privileged capability. Not if it's a vpn or ppp over USB, etc., precisely. It is exactly the kind of reason why qemu's user-land TCP/IP stack is the default. Samuel
