[redhat-lspp] Re: LSPP Development Telecon 06/19/2006 Minutes
Paul Moore
paul.moore at hp.com
Thu Jun 22 16:49:59 UTC 2006
Dave Hansen wrote:
> Quoting Ted (txtoth at gmail.com):
>
>>Can anyone point me to a good source of information on namespaces in
>>general and network namespaces specifically. Are network namespaces
>>something that could be utilized through xinetd to get polyinstantiated
>>port functionality?
>
>
> I was just talking to Serge about this on IRC a bit. I think network
> namespaces might do some of what you want.
>
> Note that this is coming from somebody (me) that has never written a
> line of networking code in his life. So, don't pay too much attention.
> Just brainstorming.
>
> One of the important things that they give you is the ability to have
> multiple stupid daemons listening on "*:80". Each daemon thinks they
> "own" that port. However, the network namespace patches make sure that
> such a daemon doesn't receive any packets not meant for an IP owned by
> that daemon.
>
> So, if you added network namespaces with a rewriting netfilter rule that
> would mangle destination addresses to match the IP address of a
> containerized daemon, I _think_ you might be able to get what you want.
>
> So,
>
> 1. packet comes in for port 80
> 2. packet is tagged by secmark
> 3. packet matches netfilter rule, is redirected to a _specific_ IP
> 4. packet reaches containerized daemon listening on port 80
>
My only concern with something like this is that it would probably wreak
havoc with things that do checksums/HMACs/etc with the IP addresses. I
think we should try to avoid packet managling as much as possibile; it
tends to introduce more problems than it solves (NAT anyone?). However,
it may be that someone has already thought of that and found a way
around it?
--
paul moore
linux security @ hp
More information about the redhat-lspp
mailing list