search

vishvananda / netlink

Simple netlink library for go.
Apache License 2.0
2.85k stars 745 forks source link

`FouAdd` ignores namespace handle #834

Open lincolnmantracer opened 1 year ago

lincolnmantracer commented 1 year ago

Using handle.FouAdd seems to add a FoU decapsulation endpoint to the host, even when run with a docker container namespace. I'm using (basically) the following code:

ctr, err := dockerClient.ContainerInspect(ctx, id)
if err != nil {
    return err
}

namespace, err := netns.GetFromPath(ctr.NetworkSettings.SandboxKey)
if err != nil {
    return fmt.Errorf("fetching container namespace: %w", err)
}

handle, err := netlink.NewHandleAt(namespace)
if err != nil {
    return err
}

return handle.FouAdd(netlink.Fou{
    Family:    nl.GetIPFamily(ip),
    Port:      port,
    Protocol:  4,
    EncapType: netlink.FOU_ENCAP_DIRECT,
})

But the fou endpoint/thingy shows only on the host:

$ ip fou show
port 12368 ipproto 4

I thought maybe this was a general FoU problem, but iproute2 seems to do this just fine:

$ docker run --privileged --user root -itd --network phost alpine
9382e81d8f1fdb660897f4691b14f026183e8f1f568018af389fc58a97366f44
$ docker exec 9382e81 apk add iproute2
OK: 12 MiB in 27 packages
$ docker exec 9382e81 ip fou add port 5555 ipproto 4
$ docker exec 9382e81 ip fou show
port 5555 ipproto 4
$ ip fou show
$
lincolnmantracer commented 1 year ago

I was able to work around this by creating the handle with netlink.NewHandleAt(namespace, unix.NETLINK_GENERIC). I don't really understand whether this is intended behavior. It seems like NETLINK_GENERIC should be in SupportedNlFamilies.