[v3,net-next,0/2] net: openvswitch: metering and conntrack in userns

Message ID	20220923133820.993725-1-michael.weiss@aisec.fraunhofer.de (mailing list archive)
Headers	show Return-Path: <netdev-owner@kernel.org> From: =?utf-8?q?Michael_Wei=C3=9F?= <michael.weiss@aisec.fraunhofer.de> To: Paolo Abeni <pabeni@redhat.com>, Pravin B Shelar <pshelar@ovn.org>, "David S . Miller" <davem@davemloft.net>, Jakub Kicinski <kuba@kernel.org> Cc: Joe Stringer <joe@cilium.io>, Andy Zhou <azhou@ovn.org>, =?utf-8?q?Micha?= =?utf-8?q?el_Wei=C3=9F?= <michael.weiss@aisec.fraunhofer.de>, Eric Dumazet <edumazet@google.com>, netdev@vger.kernel.org, dev@openvswitch.org, linux-kernel@vger.kernel.org Subject: [PATCH v3 net-next 0/2] net: openvswitch: metering and conntrack in userns Date: Fri, 23 Sep 2022 15:38:18 +0200 Message-Id: <20220923133820.993725-1-michael.weiss@aisec.fraunhofer.de> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	net: openvswitch: metering and conntrack in userns \| expand [v3,net-next,0/2] net: openvswitch: metering and conntrack in userns [v3,net-next,1/2] net: openvswitch: allow metering in non-initial user namespace [v3,net-next,2/2] net: openvswitch: allow conntrack in non-initial user namespace

Message ID

20220923133820.993725-1-michael.weiss@aisec.fraunhofer.de (mailing list archive)

Headers

From: =?utf-8?q?Michael_Wei=C3=9F?= <michael.weiss@aisec.fraunhofer.de>
To: Paolo Abeni <pabeni@redhat.com>, Pravin B Shelar <pshelar@ovn.org>,
        "David S . Miller" <davem@davemloft.net>,
        Jakub Kicinski <kuba@kernel.org>
Cc: Joe Stringer <joe@cilium.io>, Andy Zhou <azhou@ovn.org>, =?utf-8?q?Micha?=
	=?utf-8?q?el_Wei=C3=9F?= <michael.weiss@aisec.fraunhofer.de>,
 Eric Dumazet <edumazet@google.com>, netdev@vger.kernel.org,
 dev@openvswitch.org, linux-kernel@vger.kernel.org
Subject: [PATCH v3 net-next 0/2] net: openvswitch: metering and conntrack in
 userns
Date: Fri, 23 Sep 2022 15:38:18 +0200
Message-Id: <20220923133820.993725-1-michael.weiss@aisec.fraunhofer.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

net: openvswitch: metering and conntrack in userns | expand

Message

Michael Weiß Sept. 23, 2022, 1:38 p.m. UTC

Currently using openvswitch in a non-initial user namespace, e.g., an
unprivileged container, is possible but without metering and conntrack
support. This is due to the restriction of the corresponding Netlink
interfaces to the global CAP_NET_ADMIN.

This simple patches switch from GENL_ADMIN_PERM to GENL_UNS_ADMIN_PERM
in several cases to allow this also for the unprivileged container
use case.

We tested this for unprivileged containers created by the container
manager of GyroidOS (gyroidos.github.io). However, for other container
managers such as LXC or systemd which provide unprivileged containers
this should be apply equally.

Changes in v3:
- also changed GFP_KERNEL to GFP_KERNEL_ACCOUNT in
  ovs_ct_limit_set_zone_limit() as suggested by Jakub
- Rebased on net-next/main branch of networking tree

Changes in v2:
- changed GFP_KERNEL to GFP_KERNEL_ACCOUNT in dp_meter_create()
  as suggested by Paolo
- Rebased on net branch of networking tree

Michael Weiß (2):
  net: openvswitch: allow metering in non-initial user namespace
  net: openvswitch: allow conntrack in non-initial user namespace

 net/openvswitch/conntrack.c | 13 ++++++++-----
 net/openvswitch/meter.c     | 14 +++++++-------
 2 files changed, 15 insertions(+), 12 deletions(-)


base-commit: 3aba35bb201fd2481b3fd5794120d9d1b0734fe8

Comments

patchwork-bot+netdevbpf@kernel.org Sept. 27, 2022, 9:50 a.m. UTC | #1

Hello:

This series was applied to netdev/net-next.git (master)
by Paolo Abeni <pabeni@redhat.com>:

On Fri, 23 Sep 2022 15:38:18 +0200 you wrote:
> Currently using openvswitch in a non-initial user namespace, e.g., an
> unprivileged container, is possible but without metering and conntrack
> support. This is due to the restriction of the corresponding Netlink
> interfaces to the global CAP_NET_ADMIN.
> 
> This simple patches switch from GENL_ADMIN_PERM to GENL_UNS_ADMIN_PERM
> in several cases to allow this also for the unprivileged container
> use case.
> 
> [...]

Here is the summary with links:
  - [v3,net-next,1/2] net: openvswitch: allow metering in non-initial user namespace
    https://git.kernel.org/netdev/net-next/c/803937184717
  - [v3,net-next,2/2] net: openvswitch: allow conntrack in non-initial user namespace
    https://git.kernel.org/netdev/net-next/c/59cd7377660a

You are awesome, thank you!