Re: [PATCH] netlink: Add netns check on taps

On 12/06/2017 08:40 PM, David Miller wrote: > From: Kevin Cernekee > Date: Tue, 5 Dec 2017 14:46:22 -0800 > >> Currently, a nlmon link inside a child namespace can observe systemwide >> netlink activity. Filter the traffic so that in a non-init netns, >> nlmon can only sniff netlink messages fr

Re: [PATCH] netlink: Add netns check on taps

From: Kevin Cernekee Date: Tue, 5 Dec 2017 14:46:22 -0800 > Currently, a nlmon link inside a child namespace can observe systemwide > netlink activity. Filter the traffic so that in a non-init netns, > nlmon can only sniff netlink messages from its own netns. > > Test case: > > vpnns -- b

Re: [PATCH] netlink: Add netns check on taps

On Tue, Dec 5, 2017 at 6:19 PM, David Ahern wrote: >> + if (!net_eq(dev_net(dev), sock_net(sk)) && >> + !net_eq(dev_net(dev), &init_net)) { > > Why is init_net special? Seems like snooping should be limited to the > namespace you are in. Depends how important it is to preserve the cur

Re: [PATCH] netlink: Add netns check on taps

On 12/5/17 3:46 PM, Kevin Cernekee wrote: > Currently, a nlmon link inside a child namespace can observe systemwide > netlink activity. Filter the traffic so that in a non-init netns, > nlmon can only sniff netlink messages from its own netns. > > Test case: > > vpnns -- bash -c "ip link add

[PATCH] netlink: Add netns check on taps

Currently, a nlmon link inside a child namespace can observe systemwide netlink activity. Filter the traffic so that in a non-init netns, nlmon can only sniff netlink messages from its own netns. Test case: vpnns -- bash -c "ip link add nlmon0 type nlmon; \ ip link set