[0/3] Namespaceify two sysctls related with route

Message ID	20220822045310.203649-1-xu.xin16@zte.com.cn (mailing list archive)
Headers	show Return-Path: <netdev-owner@kernel.org> From: cgel.zte@gmail.com To: davem@davemloft.net, kuba@kernel.org, yoshfuji@linux-ipv6.org, dsahern@kernel.org Cc: netdev@vger.kernel.org, linl@vger.kernel.org, xu.xin16@zte.com.cn Subject: [PATCH 0/3] Namespaceify two sysctls related with route Date: Mon, 22 Aug 2022 04:53:10 +0000 Message-Id: <20220822045310.203649-1-xu.xin16@zte.com.cn> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	Namespaceify two sysctls related with route \| expand [0/3] Namespaceify two sysctls related with route [1/3] ipv4: Namespaceify route/error_cost knob [2/3] ipv4: Namespaceify route/error_burst knob [3/3] ipv4: add documentation of two sysctls about icmp

Message ID

20220822045310.203649-1-xu.xin16@zte.com.cn (mailing list archive)

Headers

From: cgel.zte@gmail.com
To: davem@davemloft.net, kuba@kernel.org, yoshfuji@linux-ipv6.org,
        dsahern@kernel.org
Cc: netdev@vger.kernel.org, linl@vger.kernel.org, xu.xin16@zte.com.cn
Subject: [PATCH 0/3] Namespaceify two sysctls related with route
Date: Mon, 22 Aug 2022 04:53:10 +0000
Message-Id: <20220822045310.203649-1-xu.xin16@zte.com.cn>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

Namespaceify two sysctls related with route | expand

Message

CGEL Aug. 22, 2022, 4:53 a.m. UTC

From: xu xin <xu.xin16@zte.com.cn>

With the rise of cloud native, more and more container applications are
deployed. The network namespace is one of the foundations of the container.
The sysctls of error_cost and error_burst are important knobs to control
the sending frequency of ICMP_DEST_UNREACH packet for ipv4. When different
containers has requirements on the tuning of error_cost and error_burst,
for host's security, the sysctls should exist per network namespace.

Different netns has different requirements on the setting of error_cost
and error_burst, which are related with limiting the frequency of sending
ICMP_DEST_UNREACH packets. Enable them to be configured per netns.

*** BLURB HERE ***

xu xin (3):
  ipv4: Namespaceify route/error_cost knob
  ipv4: Namespaceify route/error_burst knob
  ipv4: add documentation of two sysctls about icmp

 Documentation/networking/ip-sysctl.rst | 17 ++++++++++
 include/net/netns/ipv4.h               |  2 ++
 net/ipv4/route.c                       | 45 ++++++++++++++------------
 3 files changed, 44 insertions(+), 20 deletions(-)

Comments

Jakub Kicinski Aug. 23, 2022, 2:05 a.m. UTC | #1

On Mon, 22 Aug 2022 04:53:10 +0000 cgel.zte@gmail.com wrote:
> With the rise of cloud native, more and more container applications are
> deployed. The network namespace is one of the foundations of the container.
> The sysctls of error_cost and error_burst are important knobs to control
> the sending frequency of ICMP_DEST_UNREACH packet for ipv4. When different
> containers has requirements on the tuning of error_cost and error_burst,
> for host's security, the sysctls should exist per network namespace.
> 
> Different netns has different requirements on the setting of error_cost
> and error_burst, which are related with limiting the frequency of sending
> ICMP_DEST_UNREACH packets. Enable them to be configured per netns.

I'm not familiar with the IPv6 implementation either, but someone needs
to explain to me why the knob is important in v4 while entirely absent
in v6. On the surface this makes no sense. There may be a good reason,
it just needs to be stated.

Also from the patches:

Signed-off-by: CGEL ZTE <cgel.zte@gmail.com>

Bots / teams can't sign off patches, I've been over this with your
colleagues. Please put your team's name in your signoff, e.g.

Signed-off-by: Minghao Chi (CGEL ZTE) <chi.minghao@zte.com.cn>

Thanks!