From: Christian Brauner <christian@brauner.io> To: davem@davemloft.net, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, bridge@lists.linux-foundation.org Cc: tyhicks@canonical.com, pablo@netfilter.org, kadlec@blackhole.kfki.hu, fw@strlen.de, roopa@cumulusnetworks.com, nikolay@cumulusnetworks.com, Christian Brauner <christian@brauner.io> Subject: [PATCH net-next 0/2] br_netfilter: enable in non-initial netns Date: Wed, 7 Nov 2018 14:48:57 +0100 [thread overview] Message-ID: <20181107134859.19896-1-christian@brauner.io> (raw) Hey everyone, Over time I have seen multiple reports by users who want to run applications (Kubernetes e.g. via [1]) that require the br_netfilter module in non-initial network namespaces [2], [3], [4], [5] (There are more issues where this requirement is reported.). Currently, the /proc/sys/net/bridge folder is only created in the initial network namespace. This patch series ensures that the /proc/sys/net/bridge folder is available in each network namespace if the module is loaded and disappears from all network namespaces when the module is unloaded. The patch series also makes the sysctls: bridge-nf-call-arptables bridge-nf-call-ip6tables bridge-nf-call-iptables bridge-nf-filter-pppoe-tagged bridge-nf-filter-vlan-tagged bridge-nf-pass-vlan-input-dev apply per network namespace. This unblocks some use-cases where users would like to e.g. not do bridge filtering for bridges in a specific network namespace while doing so for bridges located in another network namespace. The netfilter rules are afaict already per network namespace so it should be safe for users to specify whether a bridge device inside their network namespace is supposed to go through iptables et al. or not. Also, this can already be done by setting an option for each individual bridge via Netlink. It should also be possible to do this for all bridges in a network namespace via sysctls. Thanks! Christian [1]: https://github.com/zimmertr/Bootstrap-Kubernetes-with-Ansible [2]: https://github.com/lxc/lxd/issues/5193 [3]: https://discuss.linuxcontainers.org/t/bridge-nf-call-iptables-and-swap-error-on-lxd-with-kubeadm/2204 [4]: https://github.com/lxc/lxd/issues/3306 [5]: https://gitlab.com/gitlab-org/gitlab-runner/issues/3705 Christian Brauner (2): br_netfilter: add struct netns_brnf br_netfilter: namespace bridge netfilter sysctls include/net/net_namespace.h | 3 + include/net/netfilter/br_netfilter.h | 3 +- include/net/netns/netfilter.h | 16 +++ net/bridge/br_netfilter_hooks.c | 166 ++++++++++++++++++--------- net/bridge/br_netfilter_ipv6.c | 2 +- 5 files changed, 134 insertions(+), 56 deletions(-) -- 2.19.1
WARNING: multiple messages have this Message-ID (diff)
From: Christian Brauner <christian@brauner.io> To: davem@davemloft.net, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, bridge@lists.linux-foundation.org Cc: nikolay@cumulusnetworks.com, roopa@cumulusnetworks.com, fw@strlen.de, tyhicks@canonical.com, Christian Brauner <christian@brauner.io>, kadlec@blackhole.kfki.hu, pablo@netfilter.org Subject: [Bridge] [PATCH net-next 0/2] br_netfilter: enable in non-initial netns Date: Wed, 7 Nov 2018 14:48:57 +0100 [thread overview] Message-ID: <20181107134859.19896-1-christian@brauner.io> (raw) Hey everyone, Over time I have seen multiple reports by users who want to run applications (Kubernetes e.g. via [1]) that require the br_netfilter module in non-initial network namespaces [2], [3], [4], [5] (There are more issues where this requirement is reported.). Currently, the /proc/sys/net/bridge folder is only created in the initial network namespace. This patch series ensures that the /proc/sys/net/bridge folder is available in each network namespace if the module is loaded and disappears from all network namespaces when the module is unloaded. The patch series also makes the sysctls: bridge-nf-call-arptables bridge-nf-call-ip6tables bridge-nf-call-iptables bridge-nf-filter-pppoe-tagged bridge-nf-filter-vlan-tagged bridge-nf-pass-vlan-input-dev apply per network namespace. This unblocks some use-cases where users would like to e.g. not do bridge filtering for bridges in a specific network namespace while doing so for bridges located in another network namespace. The netfilter rules are afaict already per network namespace so it should be safe for users to specify whether a bridge device inside their network namespace is supposed to go through iptables et al. or not. Also, this can already be done by setting an option for each individual bridge via Netlink. It should also be possible to do this for all bridges in a network namespace via sysctls. Thanks! Christian [1]: https://github.com/zimmertr/Bootstrap-Kubernetes-with-Ansible [2]: https://github.com/lxc/lxd/issues/5193 [3]: https://discuss.linuxcontainers.org/t/bridge-nf-call-iptables-and-swap-error-on-lxd-with-kubeadm/2204 [4]: https://github.com/lxc/lxd/issues/3306 [5]: https://gitlab.com/gitlab-org/gitlab-runner/issues/3705 Christian Brauner (2): br_netfilter: add struct netns_brnf br_netfilter: namespace bridge netfilter sysctls include/net/net_namespace.h | 3 + include/net/netfilter/br_netfilter.h | 3 +- include/net/netns/netfilter.h | 16 +++ net/bridge/br_netfilter_hooks.c | 166 ++++++++++++++++++--------- net/bridge/br_netfilter_ipv6.c | 2 +- 5 files changed, 134 insertions(+), 56 deletions(-) -- 2.19.1
next reply other threads:[~2018-11-07 13:49 UTC|newest] Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top 2018-11-07 13:48 Christian Brauner [this message] 2018-11-07 13:48 ` [Bridge] [PATCH net-next 0/2] br_netfilter: enable in non-initial netns Christian Brauner 2018-11-07 13:48 ` [PATCH net-next 1/2] br_netfilter: add struct netns_brnf Christian Brauner 2018-11-07 13:48 ` [Bridge] " Christian Brauner 2018-11-27 0:20 ` Pablo Neira Ayuso 2018-11-27 0:20 ` [Bridge] " Pablo Neira Ayuso 2018-11-27 2:20 ` Christian Brauner 2018-11-27 2:20 ` [Bridge] " Christian Brauner 2018-11-27 8:23 ` Pablo Neira Ayuso 2018-11-27 8:23 ` [Bridge] " Pablo Neira Ayuso 2018-11-27 10:19 ` Christian Brauner 2018-11-27 10:19 ` [Bridge] " Christian Brauner 2018-12-13 11:43 ` Christian Brauner 2018-12-13 11:43 ` [Bridge] " Christian Brauner 2018-11-07 13:48 ` [PATCH net-next 2/2] br_netfilter: namespace bridge netfilter sysctls Christian Brauner 2018-11-07 13:48 ` [Bridge] " Christian Brauner 2019-03-07 14:58 ` [PATCH net-next 0/2] br_netfilter: enable in non-initial netns Florian LAUNAY 2019-03-07 14:58 ` [Bridge] " Florian LAUNAY
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20181107134859.19896-1-christian@brauner.io \ --to=christian@brauner.io \ --cc=bridge@lists.linux-foundation.org \ --cc=coreteam@netfilter.org \ --cc=davem@davemloft.net \ --cc=fw@strlen.de \ --cc=kadlec@blackhole.kfki.hu \ --cc=linux-kernel@vger.kernel.org \ --cc=netdev@vger.kernel.org \ --cc=netfilter-devel@vger.kernel.org \ --cc=nikolay@cumulusnetworks.com \ --cc=pablo@netfilter.org \ --cc=roopa@cumulusnetworks.com \ --cc=tyhicks@canonical.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.