On 12/06/2017 08:40 PM, David Miller wrote: > From: Kevin Cernekee <cerne...@chromium.org> > Date: Tue, 5 Dec 2017 14:46:22 -0800 > >> Currently, a nlmon link inside a child namespace can observe systemwide >> netlink activity. Filter the traffic so that in a non-init netns, >> nlmon can only sniff netlink messages from its own netns. >> >> Test case: >> >> vpnns -- bash -c "ip link add nlmon0 type nlmon; \ >> ip link set nlmon0 up; \ >> tcpdump -i nlmon0 -q -w /tmp/nlmon.pcap -U" & >> sudo ip xfrm state add src 10.1.1.1 dst 10.1.1.2 proto esp \ >> spi 0x1 mode transport \ >> auth sha1 0x6162633132330000000000000000000000000000 \ >> enc aes 0x00000000000000000000000000000000 >> grep abc123 /tmp/nlmon.pcap >> >> Signed-off-by: Kevin Cernekee <cerne...@chromium.org> > > Daniel, what behavior did you intend this to have? > > Taps can see their own namespace only, or init_net is special > and can see all netlink activity. > > I think letting init_net see everything could be confusing, > because there is no way to distinguish netlink events by > namespace just by looking at the messages that arrive at > the tap right?
Yeah, only snooping from own netns makes sense, lets limit it to this.
