Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752414AbdLFUv4 (ORCPT ); Wed, 6 Dec 2017 15:51:56 -0500 Received: from www62.your-server.de ([213.133.104.62]:43639 "EHLO www62.your-server.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752212AbdLFUvu (ORCPT ); Wed, 6 Dec 2017 15:51:50 -0500 Subject: Re: [PATCH] netlink: Add netns check on taps To: David Miller , cernekee@chromium.org Cc: johannes.berg@intel.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org References: <1512513982-20407-1-git-send-email-cernekee@chromium.org> <20171206.144003.2119311447846512879.davem@davemloft.net> From: Daniel Borkmann Message-ID: <6de61b79-9015-a445-0d95-a0f3ed823213@iogearbox.net> Date: Wed, 6 Dec 2017 21:51:44 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: <20171206.144003.2119311447846512879.davem@davemloft.net> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Authenticated-Sender: daniel@iogearbox.net Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1289 Lines: 33 On 12/06/2017 08:40 PM, David Miller wrote: > From: Kevin Cernekee > Date: Tue, 5 Dec 2017 14:46:22 -0800 > >> Currently, a nlmon link inside a child namespace can observe systemwide >> netlink activity. Filter the traffic so that in a non-init netns, >> nlmon can only sniff netlink messages from its own netns. >> >> Test case: >> >> vpnns -- bash -c "ip link add nlmon0 type nlmon; \ >> ip link set nlmon0 up; \ >> tcpdump -i nlmon0 -q -w /tmp/nlmon.pcap -U" & >> sudo ip xfrm state add src 10.1.1.1 dst 10.1.1.2 proto esp \ >> spi 0x1 mode transport \ >> auth sha1 0x6162633132330000000000000000000000000000 \ >> enc aes 0x00000000000000000000000000000000 >> grep abc123 /tmp/nlmon.pcap >> >> Signed-off-by: Kevin Cernekee > > Daniel, what behavior did you intend this to have? > > Taps can see their own namespace only, or init_net is special > and can see all netlink activity. > > I think letting init_net see everything could be confusing, > because there is no way to distinguish netlink events by > namespace just by looking at the messages that arrive at > the tap right? Yeah, only snooping from own netns makes sense, lets limit it to this.