[Devel] Re: Network Namespace-1000 networks with Overlap Addresses
Eric W. Biederman
ebiederm at xmission.com
Wed Apr 22 03:57:13 PDT 2009
"Serge E. Hallyn" <serue at us.ibm.com> writes:
> Quoting Krishna Vamsi-B22174 (avamsi at freescale.com):
>>
>>
>> Hi,
>>
>> I am a newbie to this list. Here is my use case , we have Loadable
>> Kernel Module which applies security to
>> the packets arriving from 1000 networks with overlap addresses. There
>> are 3 different user space process which handles
>> control traffic from these 1000 networks .
>>
>> Please let me know
>>
>> 1)How to create a Network Namespace Object ?
>
> clone(CLONE_NEWNET)
>
>> 2)How to delete a Network Namespace Object ?
>
> exit
>
>> 3)Can these 3 user space process see all the Network Namespace objects
>> created in the kernel ?
>
> No, network namespaces are fully isolated. A virtual nic can only exist
> in one network namespace, and physical nics can only exist in the
> initial network namespace.
Sockets can be passed between network namespaces if you set things up correctly.
At which point you can have 3 user space processes doing all of the work.
It can be a bit of a pain to have processes lying around just so you can
create a socket in another network namespace but the code works today
and isn't too bad.
>> If so, how can they access these objects?
>> 4)How to group 2-3 interfaces under a particular Network Namespace ?
>
> I don't understand the question, but you pass a veth endpoint into a
> network namespace using
>
> /sbin/ip link set veth1 netns $pid_in_other_netns
yep.
Eric
_______________________________________________
Containers mailing list
Containers at lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers
More information about the Devel
mailing list