本文探讨了Linux内核如何实现多个网络栈,通过在网络设备、套接字、进程和文件系统上放置网络命名空间结构指针,以确定操作上下文。网络命名空间在控制、设置和清理代码路径中最为常见,主要影响路由表选择和包处理。内核提供了一个全局的网络命名空间列表,并定义了一个默认的网络命名空间,以及pernet_operations结构来封装函数接口。网络命名空间的初始化和注销过程涉及到一系列的列表管理和回调函数调用。
[ include/net/net_namespace.h ]
We want to make it look to user space like the kernel implements multiple network stacks.
To implement this some of the currently global variables in the network stack need to have one instance per network namespace,or the global data structure needs to have a network namespace field.
Currently control enters the network stack in one of 4 major ways.Through operations on a socket, through a packet coming in from a network device, through miscellaneous syscalls from a process, and through operations on a virtual filesystem.So the current design calls for placing a pointer to struct net (the network namespace structure) on network devices, sockets, processes, and on filesystems so we have a clear understanding of which network namespace operations should be done in the context of.
Packets do not contain a pointer to a network device structure.Instead their network device is derived from which network device or which socket they are passing through.
On the input path we only need to look at the network namespace to determine which routing tables to use, and which sockets the packet can be destined for.
Similarly on the output path we only need to consult the network namespace for the output routing tables which point to which network devices we can use.
So while there are accesses to the network namespace as we process each packet they are in well contained spots that occur rarely.
Where the network namespace appears most is on the control,setup, and clean up code paths, in the network stack that we change rarely. There we currently don't have anything except a global context so modifications are necessary, but since the network parameter is not implicit it should not require much thought to use.
The implementation strategy follows the classic global lock reduction pattern. First all of the interfaces at a given level in the network stack are made to filter out traffic from anything except the initial network namespace,and then those interfaces are allowed to see packets from any network namespace. Then some subset of those interfaces are taught to handle packets from all namespaces, after the more specific protocol layers below them have been made to filter those packets.
对于网络模块,有很多全局性的构造和析构操作,实现这些操作用了面向对象的方法:- 定义了一个全局列表,所有的网络空间名字都注册到此列表ÿ
最低0.47元/天 解锁文章
扫一扫
1156
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
