[Devel] Re: Network Namespace-1000 networks with Overlap Addresses

Eric W. Biederman ebiederm at xmission.com
Wed Apr 22 03:57:13 PDT 2009


"Serge E. Hallyn" <serue at us.ibm.com> writes:

> Quoting Krishna Vamsi-B22174 (avamsi at freescale.com):
>> 
>> 
>> Hi,
>> 
>> I am a newbie  to this list.  Here is my use case , we have  Loadable
>> Kernel Module which applies security to
>> the packets arriving from 1000 networks with overlap addresses. There
>> are 3 different  user space process which handles 
>> control traffic  from these 1000 networks .   
>> 
>> Please let me know
>> 
>> 1)How to create a Network Namespace Object ?
>
> clone(CLONE_NEWNET)
>
>> 2)How to delete a Network Namespace Object ?
>
> exit
>
>> 3)Can these 3  user space process see all the Network Namespace objects
>> created in the kernel ?
>
> No, network namespaces are fully isolated.  A virtual nic can only exist
> in one network namespace, and physical nics can only exist in the
> initial network namespace.

Sockets can be passed between network namespaces if you set things up correctly.
At which point you can have 3 user space processes doing all of the work.

It can be a bit of a pain to have processes lying around just so you can
create a socket in another network namespace but the code works today
and isn't too bad.

>>  If so, how can they access these objects?
>> 4)How to group 2-3 interfaces under a particular Network Namespace ?
>
> I don't understand the question, but you pass a veth endpoint into a
> network namespace using
>
> 	/sbin/ip link set veth1 netns $pid_in_other_netns

yep.

Eric
_______________________________________________
Containers mailing list
Containers at lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers




More information about the Devel mailing list