[PATCH 33/33] Enable netfilter in netns
Alexey Dobriyan
adobriyan at gmail.com
Thu Oct 2 02:51:12 PDT 2008
On Thu, Oct 02, 2008 at 11:12:08AM +0200, Patrick McHardy wrote:
> Alexey Dobriyan wrote:
>> >From kernel perspective, allow entrance in nf_hook_slow().
>>
>> Stuff which uses nf_register_hook/nf_register_hooks, but otherwise not netns-ready:
>>
>> DECnet netfilter
>> ipt_CLUSTERIP
>> nf_nat_standalone.c together with XFRM (?)
>> IPVS
>> several individual match modules (like hashlimit)
>> ctnetlink
>> NOTRACK
>> all sorts of queueing and reporting to userspace
>> L3 and L4 protocol sysctls, bridge sysctls
>> probably something else
>>
>> Anyway critical mass has been achieved, there is no reason to hide netfilter any longer.
>>
>> >From userspace perspective, allow to manipulate all sorts of
>>
>>
>> iptables/ip6tables/arptables rules.
>>
>
> Applied. thanks Alexey.
>
> Is there an easy way to test all this stuff?
I used the following:
0) netns is currently mutually exclusive with sysfs, so depending on
sanity of distro initscripts booting sysfs-less kernel can be tricky.
In Gentoo, for example a) rm -rf /sys (sic!), b) RC_USE_FSTAB="yes",
c) RC_DEVICES="static" in /etc/conf.d/rc are needed.
1) netns creation tool (attached, some container guy posted it somewhere)
# ns_exec -n /bin/sh
2) shutdown network in init_net
sudo /etc/init.d/ntpd stop
sudo /etc/init.d/sshd stop
sudo /etc/init.d/iptables stop
sudo /etc/init.d/ip6tables stop
sudo /etc/init.d/net.eth1 stop
sudo /etc/init.d/net.eth0 stop
3) move netdevices to netns
ip l s dev eth0 netns "$1"
ip l s dev eth1 netns "$1"
where $1 is PID of shell from 1)
4) in netns start everything back
sudo /etc/init.d/net.eth0 start
sudo /etc/init.d/net.eth1 start
sudo /etc/init.d/iptables start
sudo /etc/init.d/ip6tables start
sudo /etc/init.d/sshd start
sudo /etc/init.d/ntpd start
5) at this point my usual NAT setup is back working for me and everything should
be like in init_net (modulo aforementioned exceptions) and
independent from init_net.
Leaked netns are in /proc/slabinfo under "net_namespace".
Some IPv6 printks can be annoying, so mute them.
Object poisoning with SLUB won't work for irrelevant reasons, so use SLAB.
Something like that.
More information about the Containers
mailing list