On Friday 19 January 2007 10:27, Eric W. Biederman wrote:
> YOSHIFUJI Hideaki / 吉藤英明 <[EMAIL PROTECTED]> writes:
>
> > In article <[EMAIL PROTECTED]> (at Wed, 17 Jan 2007 18:51:14
> > +0300), Dmitry Mishin <[EMAIL PROTECTED]> says:
> >
> >>
On Wednesday 17 January 2007 23:16, Eric W. Biederman wrote:
> Dmitry Mishin <[EMAIL PROTECTED]> writes:
>
> > Added functions and macros required to operate with network namespaces.
> > They are required in order to switch network namespace for incoming packets
> >
Inroduce two kind of network namespaces - level 2 and level 3. First one is
namespace with full set of networking objects, while second one -
socket-level with restricted set.
Signed-off-by: Dmitry Mishin <[EMAIL PROTECTED]>
---
include/linux/net_namespace.h |3 +++
ne
Only current net namespace sockets or all sockets in case of init_net_ns should
be visible through proc interface.
Signed-off-by: Dmitry Mishin <[EMAIL PROTECTED]>
---
include/net/af_unix.h | 21 +
net/ipv4/tcp_ipv4.c |9 +
net/ipv4/udp.c
;c patchset
Signed-off-by: Dmitry Mishin <[EMAIL PROTECTED]>
---
drivers/net/veth.c | 121 +++
fs/proc/array.c |8 +++
kernel/fork.c|1
kernel/nsproxy.c |1
net/core/net_namespace.c |3 +
5
A simple device to pass packets between a namespace and its child.
Signed-off-by: Dmitry Mishin <[EMAIL PROTECTED]>
---
drivers/net/Makefile |3
drivers/net/veth.c | 321 +++
net/core/net_namespace.c |1
3 files change
Library function to create a seq_file in proc filesystem,
showing some information for each netdevice.
This code is present in the kernel in about 10 instances, and
all of them can be converted to using introduced library function.
Signed-off-by: Andrey Savochkin <[EMAIL PROTECTED]>
---
include/
Destructor field added proc_dir_entries,
standard destructor kfree'ing data introduced.
Signed-off-by: Andrey Savochkin <[EMAIL PROTECTED]>
---
fs/proc/generic.c | 10 --
fs/proc/root.c |1 +
include/linux/proc_fs.h |4
3 files changed, 13 insertions(+), 2 d
Socket hash lookups are made within namespace. Hash tables are common for all
namespaces, with additional permutation of indexes. Asynchronous events
should be run in proper namespace.
Signed-off-by: Dmitry Mishin <[EMAIL PROTECTED]>
---
include/linux/ipv6.h |3 ++-
i
Make FIBs per-namespace and adds additional key (net namespace) to lookups in
routing cache.
Signed-off-by: Dmitry Mishin <[EMAIL PROTECTED]>
---
include/linux/net_namespace.h | 12 +++
include/net/flow.h|3
include/net/ip_fib.h | 46 +++---
ne
This patch prohibits sysctl's registrations for devices, initialized in non-init
network namespace. This is required due to absense of the sysctl virtualization.
Signed-off-by: Dmitry Mishin <[EMAIL PROTECTED]>
---
net/ipv4/devinet.c | 26 --
1 file
Added per-namespace network loopback device
Signed-off-by: Dmitry Mishin <[EMAIL PROTECTED]>
---
drivers/net/loopback.c| 112 +-
include/linux/net_namespace.h |2
include/linux/netdevice.h |6 +-
net/core/dev.c
Added ability to have per-namespace network devices.
Signed-off-by: Dmitry Mishin <[EMAIL PROTECTED]>
---
include/linux/net_namespace.h |8 +++-
include/linux/netdevice.h |8
net/core/dev.c| 77 +++---
net/core/net-s
Added functions and macros required to operate with network namespaces.
They are required in order to switch network namespace for incoming packets and
to not extend current network interface by additional network namespace argue.
Signed-off-by: Dmitry Mishin <[EMAIL PROTECTED]>
---
i
This is an update of L2 network namespaces patches. They are applicable
to Cedric's 2.6.20-rc4-mm1-lxc2 tree.
Changes:
- updated to 2.6.20-rc4-mm1-lxc2
- current network context is per-CPU now
- fixed compilation without CONFIG_NET_NS
Changed current context definition sh
On Saturday 09 December 2006 09:35, Herbert Poetzl wrote:
> On Fri, Dec 08, 2006 at 10:13:48PM -0800, Andrew Morton wrote:
> > On Sat, 9 Dec 2006 04:50:02 +0100
> > Herbert Poetzl <[EMAIL PROTECTED]> wrote:
> >
> > > On Fri, Dec 08, 2006 at 12:57:49PM -0700, Eric W. Biederman wrote:
> > > > Herber
On Monday 04 December 2006 19:43, Herbert Poetzl wrote:
> On Mon, Dec 04, 2006 at 06:19:00PM +0300, Dmitry Mishin wrote:
> > On Sunday 03 December 2006 19:00, Eric W. Biederman wrote:
> > > Ok. Just a quick summary of where I see the discussion.
> > >
> > &g
On Monday 04 December 2006 18:35, Eric W. Biederman wrote:
[skip]
> Where and when you look to find the network namespace that applies to
> a packet is the primary difference between the OpenVZ L2
> implementation and my L2 implementation.
>
> If there is a better and less intrusive while still bei
On Sunday 03 December 2006 19:00, Eric W. Biederman wrote:
> Ok. Just a quick summary of where I see the discussion.
>
> We all agree that L2 isolation is needed at some point.
As we all agreed on this, may be it is time to send patches one-by-one?
For the beggining, I propose to resend Cedric's e
If inet6_init() fails later than ndisc_init() call, or IPv6 module is
unloaded, ndisc_netdev_notifier call remains in the list and will follows in
oops later.
Signed-off-by: Dmitry Mishin <[EMAIL PROTECTED]>
---
ndisc.c |1 +
1 file changed, 1 insertion(+)
---
diff --git a/net/ipv6/n
Hi,
Could somebody explain, why bridge uses minimal MAC of the attached devices?
It makes this address instable, variable during bridge life-cycle, which is
not good for DHCP. For example, I want to attach multiple virtual devices to
one physical. Then, I need to make sure that after each virtua
On Thursday 26 October 2006 19:56, Stephen Hemminger wrote:
> On Thu, 26 Oct 2006 11:44:55 +0200
>
> Daniel Lezcano <[EMAIL PROTECTED]> wrote:
> > Stephen Hemminger wrote:
> > > On Wed, 25 Oct 2006 17:51:28 +0200
> > >
> > > Daniel Lezcano <[EMAIL PROTECTED]> wrote:
> > >>Hi Stephen,
> > >>
> > >>c
Sorry, dont' understand your proposal correctly from the previous talk. :)
But...
On Tuesday 12 September 2006 07:28, Eric W. Biederman wrote:
> Do you have some concrete arguments against the proposal?
Yes, I have. I think it is unnecessary complication. This complication will
followed in additi
On Monday 11 September 2006 18:57, Herbert Poetzl wrote:
> I completely agree here, we need a separate namespace
> for that, so that we can combine isolation and virtualization
> as needed, unless the bind restrictions can be completely
> expressed with an additional mangle or filter table (as
> wa
On Sunday 10 September 2006 07:41, Eric W. Biederman wrote:
> I certainly agree that we are not at a point where a final decision
> can be made. A major piece of that is that a layer 2 approach has
> not shown to be without a performance penalty.
But it is required. Why to limit possible usages?
On Sunday 10 September 2006 06:47, Herbert Poetzl wrote:
> well, I think it would be best to have both, as
> they are complementary to some degree, and IMHO
> both, the full virtualization _and_ the isolation
> will require a separate namespace to work,
[snip]
> I do not think that folks would w
On Friday 08 September 2006 22:11, Herbert Poetzl wrote:
> actually the light-weight ip isolation runs perfectly
> fine _without_ CAP_NET_ADMIN, as you do not want the
> guest to be able to mess with the 'configured' ips at
> all (not to speak of interfaces here)
It was only an example. I'm thinkin
On Thursday 07 September 2006 21:27, Herbert Poetzl wrote:
> well, who said that you need to have things like RAW sockets
> or other protocols except IP, not to speak of iptable and
> routing entries ...
>
> folks who _want_ full network virtualization can use the
> more complete virtual setup and
-by: Dmitry Mishin <[EMAIL PROTECTED]>
Signed-off-by: Alexey Kuznetsov <[EMAIL PROTECTED]>
Signed-off-by: Kirill Korotaev <[EMAIL PROTECTED]>
--
include/linux/filter.h | 13 +++--
include/net/sock.h | 34 +-
net/core/filter.c |
29 matches
Mail list logo
