Arnd Bergmann wrote: > On Tuesday 24 November 2009, Patrick McHardy wrote: >> Eric W. Biederman wrote: >>> I don't quite follow what you intend with dev_queue_xmit when the macvlan >>> is in one namespace and the real physical device is in another. Are >>> you mentioning that the packet classifier runs in the namespace where >>> the primary device lives with packets from a different namespace? >> Exactly. And I think we should make sure that the namespace of >> the macvlan device can't (deliberately or accidentally) cause >> misclassification. > > This is independent of my series and a preexisting problem, right? Correct. > Which fields do you think need to be reset to maintain namespace > isolation for the outbound path in macvlan? In addition to those already handled, I'd say - priority: affects qdisc classification, may refer to classes of the old namespace - ipvs_property: might cause packets to incorrectly skip netfilter hooks - nf_trace: might trigger packet tracing - nf_bridge: contains references to network devices in the old NS, also indicates packet was bridged - iif: index is only valid in the originating namespace - tc_index: classification result, should only be set in the namespace of the classifier - tc_verd: RTTL etc. should begin at zero again - probably secmark. _______________________________________________ Virtualization mailing list Virtualization@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/virtualization
