OpenVPN isolation using NetworkNamespaces


I just commited to my repository ( functionality that allows VPN's with virtual devices to be isolated within a separate network namespace. For that purpose there are the following parameters within connection section of VPN configuration file:

=> if "true" VPN connection will be isolated

=> should network namespace be removed (false) when VPN connection is terminated or not (true)

=> the name of the network namespace. uuid and name take connection uuid and ID respectively, while anything else is taken as is

=> how long to wait for virtual device to be switched from source network namespace to the target network namespace. namely, due to the sequence of events that should occur while moving device between network namespaces (event of new device, event of removal of existing device) this process must be asynchronous and so we have to wait. this parameter defines the maximum wait time.

Trygin this with OpenVPN works for me. But, as usuall, this is very likely full of bugs and there are lot of missing features.

Few ideas/TODOs for the follow up:

1. Expose method to move devices (nm_netns_take_device) via D-Bus (exists, but it's an old design and should be reworked).

2. Modify NMActRequest to also allow isolation the same way as VPN connections.

3. Add method to allow device cloning (e.g. macvlan or veth) that will allow a same connection in multipe network namespaces. This will also allow VPNs without virtual interfaces to be isolated.

Then, I suppose, I have all the mechanism to proceed to PvD manipulation.


Attachment: signature.asc
Description: OpenPGP digital signature

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]