[RFC] L3 network isolation : broadcast

Daniel Lezcano dlezcano at fr.ibm.com
Wed Dec 13 12:43:22 PST 2006

Hi all,

I am trying to find a solution to handle the broadcast traffic on the l3 

The broadcast issue comes from the l2 isolation:

in udp.c

static inline struct sock *udp_v4_mcast_next(struct sock *sk,
					__be16 loc_port,
					__be32 loc_addr,
					__be16 rmt_port,
					__be32 rmt_addr,
					int dif)
	struct hlist_node *node;
	struct sock *s = sk;
	struct net_namespace *ns = current_net_ns;
	unsigned short hnum = ntohs(loc_port);

	sk_for_each_from(s, node) {
		struct inet_sock *inet = inet_sk(s);

		if (inet->num != hnum					||
		    (inet->daddr && inet->daddr != rmt_addr)		||
		    (inet->dport != rmt_port && inet->dport)		||
		    (inet->rcv_saddr && inet->rcv_saddr != loc_addr)	||
		    ipv6_only_sock(s)					||
		    !net_ns_match(sk->sk_net_ns, ns)			||
		    (s->sk_bound_dev_if && s->sk_bound_dev_if != dif))
		if (!ip_mc_sf_allow(s, loc_addr, rmt_addr, dif))
		goto found;
	s = NULL;
   	return s;

This is absolutely correct for l2 namespaces because they share the 
socket hash table. But that is not correct for l3 namespaces because we 
want to deliver the packet to each l3 namespaces which have binded to 
the broadcast address, so we should avoid checking net_ns_match if we 
are in a layer 3 namespace. Doing that we will break the l2 isolation 
because an another l2 namespace could have binded to the same broadcast 

The solution I see here is:

if namespace is l3 then;
	net_ns match any net_ns registered as listening on this address

The registered network namespace is a list shared between brothers l3 
namespaces. This will add more overhead for sure. Does anyone have 
comments on that or perhaps a better solution ?

More information about the Containers mailing list