Hi!
I just commited to my repository
(https://github.com/sgros/MIF_NetworkManager) functionality that allows
VPN's with virtual devices to be isolated within a separate network
namespace. For that purpose there are the following parameters within
connection section of VPN configuration file:
netns-isolate=[true|false]
=> if "true" VPN connection will be isolated
netns-persistent=[true|false]
=> should network namespace be removed (false) when VPN connection is
terminated or not (true)
netns-name=[uuid|name|]
=> the name of the network namespace. uuid and name take connection uuid
and ID respectively, while anything else is taken as is
netns-timeout=ms
=> how long to wait for virtual device to be switched from source
network namespace to the target network namespace. namely, due to the
sequence of events that should occur while moving device between network
namespaces (event of new device, event of removal of existing device)
this process must be asynchronous and so we have to wait. this parameter
defines the maximum wait time.
Trygin this with OpenVPN works for me. But, as usuall, this is very
likely full of bugs and there are lot of missing features.
Few ideas/TODOs for the follow up:
1. Expose method to move devices (nm_netns_take_device) via D-Bus
(exists, but it's an old design and should be reworked).
2. Modify NMActRequest to also allow isolation the same way as VPN
connections.
3. Add method to allow device cloning (e.g. macvlan or veth) that will
allow a same connection in multipe network namespaces. This will also
allow VPNs without virtual interfaces to be isolated.
Then, I suppose, I have all the mechanism to proceed to PvD manipulation.
SG
signature.asc
Description: OpenPGP digital signature
___
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list
