[Devel] [PATCH rh7 0/2] ve/net: Don't show all connections in init netns
Konstantin Khorenko
khorenko at virtuozzo.com
Fri Apr 24 20:10:26 MSK 2020
Long ago in https://bugs.openvz.org/browse/OVZ-5192
we've allowed host to see Container's connections,
which is against usual net namespaces rules.
In vz7 de facto host never was allowed to see Contaners' connections:
* first - due to a bug https://bugs.openvz.org/browse/OVZ-6600
* later due to a fix
b6c0f8cf6332f ("ve/net: Exclude foreign CT sockets from
/proc/net/tcp{,6}")
As we consider the current behavior correct (a namespace should not leak
info to other namespaces), let's drop patches which intended to provide
this functionality.
If one wants to check all connections from host, he can use
"ip -all netns exec netstat -n" to get info about Container's root net
namespaces.
The latter command shows all netns which were create via "ip" utility.
If he wants to be more precise and want to check really ALL net
namespaces, it's enough to iterate over all net namespaces via
"nsenter -t $PROC_PID -n netstat -n".
https://bugs.openvz.org/browse/OVZ-7202
Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
Konstantin Khorenko (2):
Revert "ve/net: Exclude foreign CT sockets from /proc/net/tcp{,6}"
Revert "net: Show all connections in init namespace"
include/net/net_namespace.h | 10 ----------
net/ipv4/raw.c | 4 ++--
net/ipv4/tcp_ipv4.c | 3 +--
net/ipv4/udp.c | 4 ++--
4 files changed, 5 insertions(+), 16 deletions(-)
--
2.15.1
More information about the Devel
mailing list