From: Pavel Tikhomirov <ptikhomi...@virtuozzo.com> vxlan is safe in CT as:
1) Udp multicast socket to connect to outer word sits in creation net- namespace, and these socket can get packets only forwarded/routed in creation ns. 2) Vxlan device is owned by second netns(could be same as first) as any other network device, so same all packets come to it are from the same ns. 3) Vxlans logic works through vxlan_net placed on creation netns, vxlan_fdb and vxlan_rdst are per vxlan device. Thus entries can not intersec with entries from host and other CTs. * One problem I can see now is adding fdb with ifindex(index of device to route packets from UDP socket through) after vxlan is moved to second namespace in vxlan_fdb_parse we use second namespace to check ifindex by device lookup, but in vxlan_xmit_one->ip_route_output_key->...->__ip_route_output_key we use first(creation) namespace to lookup device and probably will fail. So all fdb configuration should go before moving to ns. Same is in mainstream AFAICS. https://jira.sw.ru/browse/PSBM-53629 Signed-off-by: Pavel Tikhomirov <ptikhomi...@virtuozzo.com> Acked-by: Andrei Vagin <ava...@virtuozzo.com> khorenko@: Docker Swarm requires vxlans. (cherry picked from vz7 commit d5805ee4d748 ("ve/net/vxlan: enable support and autoload in a container")) Signed-off-by: Konstantin Khorenko <khore...@virtuozzo.com> --- kernel/kmod.c | 1 + 1 file changed, 1 insertion(+) diff --git a/kernel/kmod.c b/kernel/kmod.c index 9a24a65deecb..ddf44c79c851 100644 --- a/kernel/kmod.c +++ b/kernel/kmod.c @@ -261,6 +261,7 @@ static const char * const ve0_allowed_mod[] = { "net-pf-16-proto-4-type-16", /* PF_NETLINK, NETLINK_SOCK_DIAG, AF_NETLINK */ "rtnl-link-dummy", + "rtnl-link-vxlan", }; /* _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel
