Message ID | 1544976940-10676-1-git-send-email-xiangxia.m.yue@gmail.com |
---|---|
State | Not Applicable, archived |
Delegated to: | David Miller |
Headers | show |
Series | [net-next] net: ipv4: allocate ipv4_devconf memory for init_net | expand |
On Sun, Dec 16, 2018 at 8:24 AM <xiangxia.m.yue@gmail.com> wrote: > > From: Tonghao Zhang <xiangxia.m.yue@gmail.com> > > The devconf setting on the init_net will affect other > namespace when them created. For example: > > $ cat /proc/sys/net/ipv4/conf/all/rp_filter > 0 > $ echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter > $ cat /proc/sys/net/ipv4/conf/all/rp_filter > 2 > > $ ip netns add ns100 > $ ip netns exec ns100 bash > $ cat /proc/sys/net/ipv4/conf/all/rp_filter > 2 > > The value of rp_filter in the ns100, should be 0 as > default, but it is 2 same as _init_net_. This has been a known issue for a long time. There were several attempts to fix this. The concern here is whether it breaks existing applications' expectation with the change like yours. There was a proposal introduces a new /proc file to control this behavior, I forget why it is not accepted either. Please check netdev archives. Thanks.
On Mon, Dec 17, 2018 at 3:06 AM Cong Wang <xiyou.wangcong@gmail.com> wrote: > > On Sun, Dec 16, 2018 at 8:24 AM <xiangxia.m.yue@gmail.com> wrote: > > > > From: Tonghao Zhang <xiangxia.m.yue@gmail.com> > > > > The devconf setting on the init_net will affect other > > namespace when them created. For example: > > > > $ cat /proc/sys/net/ipv4/conf/all/rp_filter > > 0 > > $ echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter > > $ cat /proc/sys/net/ipv4/conf/all/rp_filter > > 2 > > > > $ ip netns add ns100 > > $ ip netns exec ns100 bash > > $ cat /proc/sys/net/ipv4/conf/all/rp_filter > > 2 > > > > The value of rp_filter in the ns100, should be 0 as > > default, but it is 2 same as _init_net_. > > This has been a known issue for a long time. There > were several attempts to fix this. > > The concern here is whether it breaks existing applications' > expectation with the change like yours. There was a proposal > introduces a new /proc file to control this behavior, I forget > why it is not accepted either. Please check netdev archives. I check netdev archives and a patch to fix it, but I do not find why not applied. https://lore.kernel.org/patchwork/patch/493547/ > Thanks.
From: Cong Wang <xiyou.wangcong@gmail.com> Date: Sun, 16 Dec 2018 11:06:39 -0800 > On Sun, Dec 16, 2018 at 8:24 AM <xiangxia.m.yue@gmail.com> wrote: >> >> From: Tonghao Zhang <xiangxia.m.yue@gmail.com> >> >> The devconf setting on the init_net will affect other >> namespace when them created. For example: ... > This has been a known issue for a long time. There > were several attempts to fix this. > > The concern here is whether it breaks existing applications' > expectation with the change like yours. There was a proposal > introduces a new /proc file to control this behavior, I forget > why it is not accepted either. Please check netdev archives. Please see: https://patchwork.ozlabs.org/patch/488675/ I know why you couldn't find this. In order to speed up database queries, after some time we mark patchwork entires older than a certain date as "archived". By default searches do not consider archived entries. So you have to click the "Yes" checkbox for Archived in the search dialogue.
On Wed, Dec 19, 2018 at 7:09 AM David Miller <davem@davemloft.net> wrote: > > From: Cong Wang <xiyou.wangcong@gmail.com> > Date: Sun, 16 Dec 2018 11:06:39 -0800 > > > On Sun, Dec 16, 2018 at 8:24 AM <xiangxia.m.yue@gmail.com> wrote: > >> > >> From: Tonghao Zhang <xiangxia.m.yue@gmail.com> > >> > >> The devconf setting on the init_net will affect other > >> namespace when them created. For example: > ... > > This has been a known issue for a long time. There > > were several attempts to fix this. > > > > The concern here is whether it breaks existing applications' > > expectation with the change like yours. There was a proposal > > introduces a new /proc file to control this behavior, I forget > > why it is not accepted either. Please check netdev archives. > > Please see: > > https://patchwork.ozlabs.org/patch/488675/ Thanks, Cong and David. I review the patch [1]. The author didn't explain why we inherit the old configuration. In our case, there are many container which running the different application. We don't know what configuration the user will set. We don't want the new container inherit our host configuration. The reason is show as below: * the host _init_net will be used as SDN network, such as vxlan, and other complex overlay network. * host network configuration should not affect container. * the container and host network configuration are complete isolation. So what's your advice? 1. https://patchwork.ozlabs.org/patch/488675/ > I know why you couldn't find this. > > In order to speed up database queries, after some time we mark > patchwork entires older than a certain date as "archived". By > default searches do not consider archived entries. > > So you have to click the "Yes" checkbox for Archived in the search > dialogue.
diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c index 5b9b6d4..2edf0f8 100644 --- a/net/ipv4/devinet.c +++ b/net/ipv4/devinet.c @@ -2555,33 +2555,28 @@ static __net_init int devinet_init_net(struct net *net) int err; struct ipv4_devconf *all, *dflt; #ifdef CONFIG_SYSCTL - struct ctl_table *tbl = ctl_forward_entry; + struct ctl_table *tbl; struct ctl_table_header *forw_hdr; #endif err = -ENOMEM; - all = &ipv4_devconf; - dflt = &ipv4_devconf_dflt; - - if (!net_eq(net, &init_net)) { - all = kmemdup(all, sizeof(ipv4_devconf), GFP_KERNEL); - if (!all) - goto err_alloc_all; + all = kmemdup(&ipv4_devconf, sizeof(ipv4_devconf), GFP_KERNEL); + if (!all) + goto err_alloc_all; - dflt = kmemdup(dflt, sizeof(ipv4_devconf_dflt), GFP_KERNEL); - if (!dflt) - goto err_alloc_dflt; + dflt = kmemdup(&ipv4_devconf_dflt, sizeof(ipv4_devconf_dflt), GFP_KERNEL); + if (!dflt) + goto err_alloc_dflt; #ifdef CONFIG_SYSCTL - tbl = kmemdup(tbl, sizeof(ctl_forward_entry), GFP_KERNEL); - if (!tbl) - goto err_alloc_ctl; + tbl = kmemdup(ctl_forward_entry, sizeof(ctl_forward_entry), GFP_KERNEL); + if (!tbl) + goto err_alloc_ctl; - tbl[0].data = &all->data[IPV4_DEVCONF_FORWARDING - 1]; - tbl[0].extra1 = all; - tbl[0].extra2 = net; + tbl[0].data = &all->data[IPV4_DEVCONF_FORWARDING - 1]; + tbl[0].extra1 = all; + tbl[0].extra2 = net; #endif - } #ifdef CONFIG_SYSCTL err = __devinet_sysctl_register(net, "all", NETCONFA_IFINDEX_ALL, all); @@ -2610,15 +2605,12 @@ static __net_init int devinet_init_net(struct net *net) err_reg_dflt: __devinet_sysctl_unregister(net, all, NETCONFA_IFINDEX_ALL); err_reg_all: - if (tbl != ctl_forward_entry) - kfree(tbl); + kfree(tbl); err_alloc_ctl: #endif - if (dflt != &ipv4_devconf_dflt) - kfree(dflt); + kfree(dflt); err_alloc_dflt: - if (all != &ipv4_devconf) - kfree(all); + kfree(all); err_alloc_all: return err; }