Re: [PATCH] ipv4: in new netns initialize sysctls in net.ipv4.conf.* with defaults

From: David Miller
Date: Thu Feb 25 2016 - 11:43:50 EST

Next message: Alexei Starovoitov: "Re: [PATCH net-next 2/3] bpf: introduce BPF_MAP_TYPE_STACK_TRACE"
Previous message: Al Viro: "Re: fs: NULL deref in atime_needs_update"
In reply to: Nicolas Dichtel: "Re: [PATCH] ipv4: in new netns initialize sysctls in net.ipv4.conf.* with defaults"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Nicolas Dichtel <nicolas.dichtel@xxxxxxxxx>
Date: Thu, 25 Feb 2016 15:20:48 +0100

> Le 24/02/2016 23:05, Eric W. Biederman a écrit :
> [snip]
>> In the general case the current behavior is random and not something
>> applications can count on, and we would do well to fix it so it is
>> less
>> random. In particular consider the case of an application in a
>> non-initial network namespace creating a new network namespace. It is
>> not even possible to predict what values they will get for sysctls
>> today.
> +1

But there is a counter argument to this.

The admin set up the initial namespace so that any namespace
instantiated by a user (even non-initial namespaces) starts with a
specific set of sysctl values. So the admin "knows", he set it up
intentionally this way, and it's a valid model.

This behavior is anything but random. Rather, it is very predictable
and controllable.

Do you really want to find out who you're going to break out there with
so many installations in the world right now?

I do not.

Next message: Alexei Starovoitov: "Re: [PATCH net-next 2/3] bpf: introduce BPF_MAP_TYPE_STACK_TRACE"
Previous message: Al Viro: "Re: fs: NULL deref in atime_needs_update"
In reply to: Nicolas Dichtel: "Re: [PATCH] ipv4: in new netns initialize sysctls in net.ipv4.conf.* with defaults"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]