On 10/24/2013 06:51 PM, James Chapman wrote: > On 24/10/13 16:53, Benjamin LaHaise wrote: >> On Thu, Oct 24, 2013 at 04:43:42PM +0100, James Chapman wrote: >>> I'm thinking about the implications of a skb in the net namespace of the >>> ppp interface passing through a tunnel socket which is in another >>> namespace. I think net namespaces are completely isolated. >>> >>> To keep your ppp interfaces isolated from each other, have you >>> considered using netfilter to prevent data being passed between ppp >>> interfaces? >> >> Using network namespaces for this is far more efficient. We've already >> added support for doing this to other tunneling interfaces. This approach >> also makes creating VPNs where there is re-use of the private address space >> between different customers far easier to implement. >> >> -ben > > Yes, it's definitely more efficient and potentially useful, I agree. > > But unlike the other tunneling interfaces for which this has already > been done, L2TP uses a socket for its tunnel and a skb will cross net > namespace boundaries while passing through the socket. I remember a > similar discussion came up several months ago with vxlan which also uses > UDP sockets. See http://www.spinics.net/lists/netdev/msg221498.html. > > Changing the behaviour of ppp interfaces only when they are created by > l2tp feels wrong to me, unless it is the first step in doing the same > for all ppp interfaces. I agree, I only took care of l2TP first because it seemed safe and that's why I posted the patch as RFC in the first place. François -- To unsubscribe from this list: send the line "unsubscribe linux-ppp" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
