[SRU][B/D] Ensure /proc/sys/net/bridge folders (dis)appear appropriately
connor.kuehl at canonical.com
Wed Aug 28 23:28:12 UTC 2019
On 7/25/19 5:20 PM, Connor Kuehl wrote:
> Note: Bionic required two additional patches in order for these to apply cleanly, one
> of which required minor backporting to use the updated wrappers/symbols.
> BugLink: https://bugs.launchpad.net/bugs/1836910
> Justification taken from the link above ^
> SRU Justification
> Impact: Currently, the /proc/sys/net/bridge folder is only created in the initial network namespace.
> This blocks use-cases where users would like to e.g. not do bridge filtering for bridges in a specific
> network namespace while doing so for bridges located in another network namespace.
> Fix: The patches linked below ensure that the /proc/sys/net/bridge folder is available in each network
> namespace if the module is loaded and disappears from all network namespaces when the module is unloaded.
> In doing so the patch makes the sysctls:
> apply per network namespace.
> Regression Potential: None, since this didn't use to work before. Otherwise limited to the br_netfilter module.
> The netfilter rules are afaict already per network namespace so it should be safe for users to specify whether
> bridge devices inside a network namespace are supposed to go through iptables et al. or not. Also, this can
> already be done per-bridge by setting an option for each individual bridge via Netlink. It should also be
> possible to do this for all bridges in a network namespace via sysctls.
> Test Case: Tested with LXD on a kernel with the patches applied and per-network namespace iptables.
Ping for SRU consideration into Bionic. Updated regression potential
from the bug report below:
"Regression Potential: Low since it is limited to the br_netfilter
module. I tested the patchset extensively by compiling a kernel with the
patches applied. I loaded and unloaded the module and verified that it
works correctly for the container usecase and does not crash. The Google
ChromeOS team has also backported this patchset to their kernel and has
not seen any issues so far:
Security considerations around netfilter rules are also low. The
netfilter rules are already per network namespace so it should be safe
for users to specify whether bridge devices inside a network namespace
are supposed to go through iptables et al. or not. Also, this can
already be done per-bridge by setting an option for each individual
bridge via Netlink. It should also be possible to do this for all
bridges in a network namespace via sysctls."
More information about the kernel-team