How to get the Linux network namespace for a tap/tun device referenced in /proc/[PID]/fdinfo/[FD]?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








3















I want to correctly match TAP/TUN devices with the processes they are using, and I want to do this from outside of these processes using TAP/TUN devices (that is, I cannot issue any ioctl()s because I don't have access to a particular file descriptor inside its process itself).



I'm aware of the answers to How to find the connection between tap interface and its file descriptor?, that is: /proc/[PID]/fdinfo/[FD] has an additional iff: key-value pair that gives the name of the corresponding TAP/TUN network interface.



However, there's a problem with network namespaces, especially when TAP/TUN network interfaces get moved around network namespaces after their user-space processes have attached to them; for instance (here, tapclient is a simple variation of a34729t's tunclient.c, which accepts a tap network name and attaches to it):



$ sudo ip tuntap add tap123 mode tap
$ sudo tapclient tap123 &
$ sudo ip netns add fooz
$ sudo ip link set tap123 netns fooz
$ PID=$(ps faux | grep tapclient | grep -v -e sudo -e grep | awk 'print $2')
$ sudo cat /proc/$PID/fdinfo/3


...which then gives: iff: tap123 -- but not the network namespace where the tap123 network interface is currently located in.



Of course, tap123 can be located by iterating over all network namespaces and looking for a matching network interface inside one of them. Unfortunately, there might be duplicate names, such as when creating another tap123 in the host namespace after we've moved the first one of this name into the fooz network namespace above:



$ sudo ip tuntap add tap123 mode tap
$ ip link show tap123
$ sudo ip netns exec fooz ip link show tap123


So we now have two tap123s in separate network namespaces, and fdinfo only gives us an ambiguous iff: tap123.



Unfortunately, looking at the /proc/$PID/ns/net network namespace of the tapclient won't help either, since that doesn't match the current network namespace of tap123 any longer:



$ findmnt -t nsfs | grep /run/netns/fooz
$ sudo readlink /proc/$PID/ns/net


For instance, this gives net:[4026532591] versus net:[4026531993].



It there a way to unambiguously match the tapclient process with the correct tap123 network interface instance it is attached to?






linux network-namespaces tap







share|improve this question
























  • Note that there's ip netns identify $PID that should give you the net namespace of $PID without you having to look at nsfs inode numbers (and ip netns pids fooz to go the other way), but they don't seem to find anything either. Sounds like a kernel bug.

    – TooTea
    Mar 7 at 10:40











  • @TooTea ip netns identify $PID is doing nothing more than taking /proc/$PID/ns/net and then trying to match only against its own list of bind-mounted symbolic network namespace names. Unfortunately, that's most of the time rather pointless as few are using iproute2's bindmount positions. My example is just using ip netns ... to give an easily reproducable example to check the underlying mechanisms, but it's not a typical deployment situation.

    – TheDiveO
    Mar 7 at 14:16

















3















I want to correctly match TAP/TUN devices with the processes they are using, and I want to do this from outside of these processes using TAP/TUN devices (that is, I cannot issue any ioctl()s because I don't have access to a particular file descriptor inside its process itself).



I'm aware of the answers to How to find the connection between tap interface and its file descriptor?, that is: /proc/[PID]/fdinfo/[FD] has an additional iff: key-value pair that gives the name of the corresponding TAP/TUN network interface.



However, there's a problem with network namespaces, especially when TAP/TUN network interfaces get moved around network namespaces after their user-space processes have attached to them; for instance (here, tapclient is a simple variation of a34729t's tunclient.c, which accepts a tap network name and attaches to it):



$ sudo ip tuntap add tap123 mode tap
$ sudo tapclient tap123 &
$ sudo ip netns add fooz
$ sudo ip link set tap123 netns fooz
$ PID=$(ps faux | grep tapclient | grep -v -e sudo -e grep | awk 'print $2')
$ sudo cat /proc/$PID/fdinfo/3


...which then gives: iff: tap123 -- but not the network namespace where the tap123 network interface is currently located in.



Of course, tap123 can be located by iterating over all network namespaces and looking for a matching network interface inside one of them. Unfortunately, there might be duplicate names, such as when creating another tap123 in the host namespace after we've moved the first one of this name into the fooz network namespace above:



$ sudo ip tuntap add tap123 mode tap
$ ip link show tap123
$ sudo ip netns exec fooz ip link show tap123


So we now have two tap123s in separate network namespaces, and fdinfo only gives us an ambiguous iff: tap123.



Unfortunately, looking at the /proc/$PID/ns/net network namespace of the tapclient won't help either, since that doesn't match the current network namespace of tap123 any longer:



$ findmnt -t nsfs | grep /run/netns/fooz
$ sudo readlink /proc/$PID/ns/net


For instance, this gives net:[4026532591] versus net:[4026531993].



It there a way to unambiguously match the tapclient process with the correct tap123 network interface instance it is attached to?






linux network-namespaces tap







share|improve this question
























  • Note that there's ip netns identify $PID that should give you the net namespace of $PID without you having to look at nsfs inode numbers (and ip netns pids fooz to go the other way), but they don't seem to find anything either. Sounds like a kernel bug.

    – TooTea
    Mar 7 at 10:40











  • @TooTea ip netns identify $PID is doing nothing more than taking /proc/$PID/ns/net and then trying to match only against its own list of bind-mounted symbolic network namespace names. Unfortunately, that's most of the time rather pointless as few are using iproute2's bindmount positions. My example is just using ip netns ... to give an easily reproducable example to check the underlying mechanisms, but it's not a typical deployment situation.

    – TheDiveO
    Mar 7 at 14:16













3












3








3








I want to correctly match TAP/TUN devices with the processes they are using, and I want to do this from outside of these processes using TAP/TUN devices (that is, I cannot issue any ioctl()s because I don't have access to a particular file descriptor inside its process itself).



I'm aware of the answers to How to find the connection between tap interface and its file descriptor?, that is: /proc/[PID]/fdinfo/[FD] has an additional iff: key-value pair that gives the name of the corresponding TAP/TUN network interface.



However, there's a problem with network namespaces, especially when TAP/TUN network interfaces get moved around network namespaces after their user-space processes have attached to them; for instance (here, tapclient is a simple variation of a34729t's tunclient.c, which accepts a tap network name and attaches to it):



$ sudo ip tuntap add tap123 mode tap
$ sudo tapclient tap123 &
$ sudo ip netns add fooz
$ sudo ip link set tap123 netns fooz
$ PID=$(ps faux | grep tapclient | grep -v -e sudo -e grep | awk 'print $2')
$ sudo cat /proc/$PID/fdinfo/3


...which then gives: iff: tap123 -- but not the network namespace where the tap123 network interface is currently located in.



Of course, tap123 can be located by iterating over all network namespaces and looking for a matching network interface inside one of them. Unfortunately, there might be duplicate names, such as when creating another tap123 in the host namespace after we've moved the first one of this name into the fooz network namespace above:



$ sudo ip tuntap add tap123 mode tap
$ ip link show tap123
$ sudo ip netns exec fooz ip link show tap123


So we now have two tap123s in separate network namespaces, and fdinfo only gives us an ambiguous iff: tap123.



Unfortunately, looking at the /proc/$PID/ns/net network namespace of the tapclient won't help either, since that doesn't match the current network namespace of tap123 any longer:



$ findmnt -t nsfs | grep /run/netns/fooz
$ sudo readlink /proc/$PID/ns/net


For instance, this gives net:[4026532591] versus net:[4026531993].



It there a way to unambiguously match the tapclient process with the correct tap123 network interface instance it is attached to?






linux network-namespaces tap







share|improve this question
















I want to correctly match TAP/TUN devices with the processes they are using, and I want to do this from outside of these processes using TAP/TUN devices (that is, I cannot issue any ioctl()s because I don't have access to a particular file descriptor inside its process itself).



I'm aware of the answers to How to find the connection between tap interface and its file descriptor?, that is: /proc/[PID]/fdinfo/[FD] has an additional iff: key-value pair that gives the name of the corresponding TAP/TUN network interface.



However, there's a problem with network namespaces, especially when TAP/TUN network interfaces get moved around network namespaces after their user-space processes have attached to them; for instance (here, tapclient is a simple variation of a34729t's tunclient.c, which accepts a tap network name and attaches to it):



$ sudo ip tuntap add tap123 mode tap
$ sudo tapclient tap123 &
$ sudo ip netns add fooz
$ sudo ip link set tap123 netns fooz
$ PID=$(ps faux | grep tapclient | grep -v -e sudo -e grep | awk 'print $2')
$ sudo cat /proc/$PID/fdinfo/3


...which then gives: iff: tap123 -- but not the network namespace where the tap123 network interface is currently located in.



Of course, tap123 can be located by iterating over all network namespaces and looking for a matching network interface inside one of them. Unfortunately, there might be duplicate names, such as when creating another tap123 in the host namespace after we've moved the first one of this name into the fooz network namespace above:



$ sudo ip tuntap add tap123 mode tap
$ ip link show tap123
$ sudo ip netns exec fooz ip link show tap123


So we now have two tap123s in separate network namespaces, and fdinfo only gives us an ambiguous iff: tap123.



Unfortunately, looking at the /proc/$PID/ns/net network namespace of the tapclient won't help either, since that doesn't match the current network namespace of tap123 any longer:



$ findmnt -t nsfs | grep /run/netns/fooz
$ sudo readlink /proc/$PID/ns/net


For instance, this gives net:[4026532591] versus net:[4026531993].



It there a way to unambiguously match the tapclient process with the correct tap123 network interface instance it is attached to?






linux network-namespaces tap




linux network-namespaces tap






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Mar 7 at 19:48







TheDiveO

















asked Mar 7 at 8:36









TheDiveOTheDiveO

273111




273111












  • Note that there's ip netns identify $PID that should give you the net namespace of $PID without you having to look at nsfs inode numbers (and ip netns pids fooz to go the other way), but they don't seem to find anything either. Sounds like a kernel bug.

    – TooTea
    Mar 7 at 10:40











  • @TooTea ip netns identify $PID is doing nothing more than taking /proc/$PID/ns/net and then trying to match only against its own list of bind-mounted symbolic network namespace names. Unfortunately, that's most of the time rather pointless as few are using iproute2's bindmount positions. My example is just using ip netns ... to give an easily reproducable example to check the underlying mechanisms, but it's not a typical deployment situation.

    – TheDiveO
    Mar 7 at 14:16

















  • Note that there's ip netns identify $PID that should give you the net namespace of $PID without you having to look at nsfs inode numbers (and ip netns pids fooz to go the other way), but they don't seem to find anything either. Sounds like a kernel bug.

    – TooTea
    Mar 7 at 10:40











  • @TooTea ip netns identify $PID is doing nothing more than taking /proc/$PID/ns/net and then trying to match only against its own list of bind-mounted symbolic network namespace names. Unfortunately, that's most of the time rather pointless as few are using iproute2's bindmount positions. My example is just using ip netns ... to give an easily reproducable example to check the underlying mechanisms, but it's not a typical deployment situation.

    – TheDiveO
    Mar 7 at 14:16
















Note that there's ip netns identify $PID that should give you the net namespace of $PID without you having to look at nsfs inode numbers (and ip netns pids fooz to go the other way), but they don't seem to find anything either. Sounds like a kernel bug.

– TooTea
Mar 7 at 10:40





Note that there's ip netns identify $PID that should give you the net namespace of $PID without you having to look at nsfs inode numbers (and ip netns pids fooz to go the other way), but they don't seem to find anything either. Sounds like a kernel bug.

– TooTea
Mar 7 at 10:40













@TooTea ip netns identify $PID is doing nothing more than taking /proc/$PID/ns/net and then trying to match only against its own list of bind-mounted symbolic network namespace names. Unfortunately, that's most of the time rather pointless as few are using iproute2's bindmount positions. My example is just using ip netns ... to give an easily reproducable example to check the underlying mechanisms, but it's not a typical deployment situation.

– TheDiveO
Mar 7 at 14:16





@TooTea ip netns identify $PID is doing nothing more than taking /proc/$PID/ns/net and then trying to match only against its own list of bind-mounted symbolic network namespace names. Unfortunately, that's most of the time rather pointless as few are using iproute2's bindmount positions. My example is just using ip netns ... to give an easily reproducable example to check the underlying mechanisms, but it's not a typical deployment situation.

– TheDiveO
Mar 7 at 14:16










1 Answer
1






active

oldest

votes


















1














You can try matching the tun interface by its hardware address rather than by name (you can obtain that with ioctl(SIOCGIFHWADDR) on the tun/tap file descriptor).



I don't think there's anything simpler, otherwise a recent change like this (which adds the possibility of also retrieving the net namespace of the interface via the tun fd) wouldn't have been needed and accepted.






share|improve this answer

























  • The new SIOCGSKNSioctl() you link to looks very promising, I'll look into its code to see if it does the job I'm asking for. At first glance it looks like it does, as I noticed already that the TUN clone device fd has the network namespace associated, but this cannot be retrieved from userspace later. What I'm unsure is whether it really works under the example conditions laid out above. But an interesting link anyway, many thanks!

    – TheDiveO
    Mar 7 at 14:22











  • The problem with SIOCGIFHWADDR and also SIOCGSKNS is rather that they need to be carried out on the original file descriptor because this fd's state is crucial here. Unfortunately, as unix.stackexchange.com/questions/74672/… points out, it's not really safely possible to duplicate the fd from the TAP/TUN user process to be used by someone else in order to issue the SIOCGKSNS. This leads me to believe that it's necessary to ask the kernel devs to be so kind as to add another fdinfo key for giving correct network namespace information.

    – TheDiveO
    Mar 7 at 15:12












  • I disagree that it's not "safely possible" to attach to a process with ptrace() and run any code in the context of that process (including sending fds with SCM_RIGHTS), but I don't have any nice and fast code to show right now. Until they add that info to fdinfo, and If using gdb is an option, you can make a list of tap interfaces, and call the ioctl via gdb only when necessary (when there really are duplicate names, etc).

    – mosvy
    Mar 7 at 20:17











  • Agreed on disagree: "safely" is misleading and I meant it to be along your "nice and fast code", deployable in production. I'm under the impression that SIOCGSKNS is strange as it returns the network namespace which was originally active when /dev/net/tun was opened. When moving the TAP/TUN later as in my example, the original network namespace would be returned, but the network interface isn't there anymore. The network namespace handling in tun.c looks slightly odd to me in places, especially when the stored original netns is passed but then ignored...

    – TheDiveO
    Mar 7 at 22:08











  • "SIOCGSKNS ... returns the network namespace which was originally active when /dev/net/tun was opened." that is unfortunately true ;-( wrong call, then.

    – mosvy
    Mar 7 at 23:30











Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f504861%2fhow-to-get-the-linux-network-namespace-for-a-tap-tun-device-referenced-in-proc%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









1














You can try matching the tun interface by its hardware address rather than by name (you can obtain that with ioctl(SIOCGIFHWADDR) on the tun/tap file descriptor).



I don't think there's anything simpler, otherwise a recent change like this (which adds the possibility of also retrieving the net namespace of the interface via the tun fd) wouldn't have been needed and accepted.






share|improve this answer

























  • The new SIOCGSKNSioctl() you link to looks very promising, I'll look into its code to see if it does the job I'm asking for. At first glance it looks like it does, as I noticed already that the TUN clone device fd has the network namespace associated, but this cannot be retrieved from userspace later. What I'm unsure is whether it really works under the example conditions laid out above. But an interesting link anyway, many thanks!

    – TheDiveO
    Mar 7 at 14:22











  • The problem with SIOCGIFHWADDR and also SIOCGSKNS is rather that they need to be carried out on the original file descriptor because this fd's state is crucial here. Unfortunately, as unix.stackexchange.com/questions/74672/… points out, it's not really safely possible to duplicate the fd from the TAP/TUN user process to be used by someone else in order to issue the SIOCGKSNS. This leads me to believe that it's necessary to ask the kernel devs to be so kind as to add another fdinfo key for giving correct network namespace information.

    – TheDiveO
    Mar 7 at 15:12












  • I disagree that it's not "safely possible" to attach to a process with ptrace() and run any code in the context of that process (including sending fds with SCM_RIGHTS), but I don't have any nice and fast code to show right now. Until they add that info to fdinfo, and If using gdb is an option, you can make a list of tap interfaces, and call the ioctl via gdb only when necessary (when there really are duplicate names, etc).

    – mosvy
    Mar 7 at 20:17











  • Agreed on disagree: "safely" is misleading and I meant it to be along your "nice and fast code", deployable in production. I'm under the impression that SIOCGSKNS is strange as it returns the network namespace which was originally active when /dev/net/tun was opened. When moving the TAP/TUN later as in my example, the original network namespace would be returned, but the network interface isn't there anymore. The network namespace handling in tun.c looks slightly odd to me in places, especially when the stored original netns is passed but then ignored...

    – TheDiveO
    Mar 7 at 22:08











  • "SIOCGSKNS ... returns the network namespace which was originally active when /dev/net/tun was opened." that is unfortunately true ;-( wrong call, then.

    – mosvy
    Mar 7 at 23:30















1














You can try matching the tun interface by its hardware address rather than by name (you can obtain that with ioctl(SIOCGIFHWADDR) on the tun/tap file descriptor).



I don't think there's anything simpler, otherwise a recent change like this (which adds the possibility of also retrieving the net namespace of the interface via the tun fd) wouldn't have been needed and accepted.






share|improve this answer

























  • The new SIOCGSKNSioctl() you link to looks very promising, I'll look into its code to see if it does the job I'm asking for. At first glance it looks like it does, as I noticed already that the TUN clone device fd has the network namespace associated, but this cannot be retrieved from userspace later. What I'm unsure is whether it really works under the example conditions laid out above. But an interesting link anyway, many thanks!

    – TheDiveO
    Mar 7 at 14:22











  • The problem with SIOCGIFHWADDR and also SIOCGSKNS is rather that they need to be carried out on the original file descriptor because this fd's state is crucial here. Unfortunately, as unix.stackexchange.com/questions/74672/… points out, it's not really safely possible to duplicate the fd from the TAP/TUN user process to be used by someone else in order to issue the SIOCGKSNS. This leads me to believe that it's necessary to ask the kernel devs to be so kind as to add another fdinfo key for giving correct network namespace information.

    – TheDiveO
    Mar 7 at 15:12












  • I disagree that it's not "safely possible" to attach to a process with ptrace() and run any code in the context of that process (including sending fds with SCM_RIGHTS), but I don't have any nice and fast code to show right now. Until they add that info to fdinfo, and If using gdb is an option, you can make a list of tap interfaces, and call the ioctl via gdb only when necessary (when there really are duplicate names, etc).

    – mosvy
    Mar 7 at 20:17











  • Agreed on disagree: "safely" is misleading and I meant it to be along your "nice and fast code", deployable in production. I'm under the impression that SIOCGSKNS is strange as it returns the network namespace which was originally active when /dev/net/tun was opened. When moving the TAP/TUN later as in my example, the original network namespace would be returned, but the network interface isn't there anymore. The network namespace handling in tun.c looks slightly odd to me in places, especially when the stored original netns is passed but then ignored...

    – TheDiveO
    Mar 7 at 22:08











  • "SIOCGSKNS ... returns the network namespace which was originally active when /dev/net/tun was opened." that is unfortunately true ;-( wrong call, then.

    – mosvy
    Mar 7 at 23:30













1












1








1







You can try matching the tun interface by its hardware address rather than by name (you can obtain that with ioctl(SIOCGIFHWADDR) on the tun/tap file descriptor).



I don't think there's anything simpler, otherwise a recent change like this (which adds the possibility of also retrieving the net namespace of the interface via the tun fd) wouldn't have been needed and accepted.






share|improve this answer















You can try matching the tun interface by its hardware address rather than by name (you can obtain that with ioctl(SIOCGIFHWADDR) on the tun/tap file descriptor).



I don't think there's anything simpler, otherwise a recent change like this (which adds the possibility of also retrieving the net namespace of the interface via the tun fd) wouldn't have been needed and accepted.







share|improve this answer














share|improve this answer



share|improve this answer








edited Mar 7 at 11:06

























answered Mar 7 at 10:42









mosvymosvy

9,0271833




9,0271833












  • The new SIOCGSKNSioctl() you link to looks very promising, I'll look into its code to see if it does the job I'm asking for. At first glance it looks like it does, as I noticed already that the TUN clone device fd has the network namespace associated, but this cannot be retrieved from userspace later. What I'm unsure is whether it really works under the example conditions laid out above. But an interesting link anyway, many thanks!

    – TheDiveO
    Mar 7 at 14:22











  • The problem with SIOCGIFHWADDR and also SIOCGSKNS is rather that they need to be carried out on the original file descriptor because this fd's state is crucial here. Unfortunately, as unix.stackexchange.com/questions/74672/… points out, it's not really safely possible to duplicate the fd from the TAP/TUN user process to be used by someone else in order to issue the SIOCGKSNS. This leads me to believe that it's necessary to ask the kernel devs to be so kind as to add another fdinfo key for giving correct network namespace information.

    – TheDiveO
    Mar 7 at 15:12












  • I disagree that it's not "safely possible" to attach to a process with ptrace() and run any code in the context of that process (including sending fds with SCM_RIGHTS), but I don't have any nice and fast code to show right now. Until they add that info to fdinfo, and If using gdb is an option, you can make a list of tap interfaces, and call the ioctl via gdb only when necessary (when there really are duplicate names, etc).

    – mosvy
    Mar 7 at 20:17











  • Agreed on disagree: "safely" is misleading and I meant it to be along your "nice and fast code", deployable in production. I'm under the impression that SIOCGSKNS is strange as it returns the network namespace which was originally active when /dev/net/tun was opened. When moving the TAP/TUN later as in my example, the original network namespace would be returned, but the network interface isn't there anymore. The network namespace handling in tun.c looks slightly odd to me in places, especially when the stored original netns is passed but then ignored...

    – TheDiveO
    Mar 7 at 22:08











  • "SIOCGSKNS ... returns the network namespace which was originally active when /dev/net/tun was opened." that is unfortunately true ;-( wrong call, then.

    – mosvy
    Mar 7 at 23:30

















  • The new SIOCGSKNSioctl() you link to looks very promising, I'll look into its code to see if it does the job I'm asking for. At first glance it looks like it does, as I noticed already that the TUN clone device fd has the network namespace associated, but this cannot be retrieved from userspace later. What I'm unsure is whether it really works under the example conditions laid out above. But an interesting link anyway, many thanks!

    – TheDiveO
    Mar 7 at 14:22











  • The problem with SIOCGIFHWADDR and also SIOCGSKNS is rather that they need to be carried out on the original file descriptor because this fd's state is crucial here. Unfortunately, as unix.stackexchange.com/questions/74672/… points out, it's not really safely possible to duplicate the fd from the TAP/TUN user process to be used by someone else in order to issue the SIOCGKSNS. This leads me to believe that it's necessary to ask the kernel devs to be so kind as to add another fdinfo key for giving correct network namespace information.

    – TheDiveO
    Mar 7 at 15:12












  • I disagree that it's not "safely possible" to attach to a process with ptrace() and run any code in the context of that process (including sending fds with SCM_RIGHTS), but I don't have any nice and fast code to show right now. Until they add that info to fdinfo, and If using gdb is an option, you can make a list of tap interfaces, and call the ioctl via gdb only when necessary (when there really are duplicate names, etc).

    – mosvy
    Mar 7 at 20:17











  • Agreed on disagree: "safely" is misleading and I meant it to be along your "nice and fast code", deployable in production. I'm under the impression that SIOCGSKNS is strange as it returns the network namespace which was originally active when /dev/net/tun was opened. When moving the TAP/TUN later as in my example, the original network namespace would be returned, but the network interface isn't there anymore. The network namespace handling in tun.c looks slightly odd to me in places, especially when the stored original netns is passed but then ignored...

    – TheDiveO
    Mar 7 at 22:08











  • "SIOCGSKNS ... returns the network namespace which was originally active when /dev/net/tun was opened." that is unfortunately true ;-( wrong call, then.

    – mosvy
    Mar 7 at 23:30
















The new SIOCGSKNSioctl() you link to looks very promising, I'll look into its code to see if it does the job I'm asking for. At first glance it looks like it does, as I noticed already that the TUN clone device fd has the network namespace associated, but this cannot be retrieved from userspace later. What I'm unsure is whether it really works under the example conditions laid out above. But an interesting link anyway, many thanks!

– TheDiveO
Mar 7 at 14:22





The new SIOCGSKNSioctl() you link to looks very promising, I'll look into its code to see if it does the job I'm asking for. At first glance it looks like it does, as I noticed already that the TUN clone device fd has the network namespace associated, but this cannot be retrieved from userspace later. What I'm unsure is whether it really works under the example conditions laid out above. But an interesting link anyway, many thanks!

– TheDiveO
Mar 7 at 14:22













The problem with SIOCGIFHWADDR and also SIOCGSKNS is rather that they need to be carried out on the original file descriptor because this fd's state is crucial here. Unfortunately, as unix.stackexchange.com/questions/74672/… points out, it's not really safely possible to duplicate the fd from the TAP/TUN user process to be used by someone else in order to issue the SIOCGKSNS. This leads me to believe that it's necessary to ask the kernel devs to be so kind as to add another fdinfo key for giving correct network namespace information.

– TheDiveO
Mar 7 at 15:12






The problem with SIOCGIFHWADDR and also SIOCGSKNS is rather that they need to be carried out on the original file descriptor because this fd's state is crucial here. Unfortunately, as unix.stackexchange.com/questions/74672/… points out, it's not really safely possible to duplicate the fd from the TAP/TUN user process to be used by someone else in order to issue the SIOCGKSNS. This leads me to believe that it's necessary to ask the kernel devs to be so kind as to add another fdinfo key for giving correct network namespace information.

– TheDiveO
Mar 7 at 15:12














I disagree that it's not "safely possible" to attach to a process with ptrace() and run any code in the context of that process (including sending fds with SCM_RIGHTS), but I don't have any nice and fast code to show right now. Until they add that info to fdinfo, and If using gdb is an option, you can make a list of tap interfaces, and call the ioctl via gdb only when necessary (when there really are duplicate names, etc).

– mosvy
Mar 7 at 20:17





I disagree that it's not "safely possible" to attach to a process with ptrace() and run any code in the context of that process (including sending fds with SCM_RIGHTS), but I don't have any nice and fast code to show right now. Until they add that info to fdinfo, and If using gdb is an option, you can make a list of tap interfaces, and call the ioctl via gdb only when necessary (when there really are duplicate names, etc).

– mosvy
Mar 7 at 20:17













Agreed on disagree: "safely" is misleading and I meant it to be along your "nice and fast code", deployable in production. I'm under the impression that SIOCGSKNS is strange as it returns the network namespace which was originally active when /dev/net/tun was opened. When moving the TAP/TUN later as in my example, the original network namespace would be returned, but the network interface isn't there anymore. The network namespace handling in tun.c looks slightly odd to me in places, especially when the stored original netns is passed but then ignored...

– TheDiveO
Mar 7 at 22:08





Agreed on disagree: "safely" is misleading and I meant it to be along your "nice and fast code", deployable in production. I'm under the impression that SIOCGSKNS is strange as it returns the network namespace which was originally active when /dev/net/tun was opened. When moving the TAP/TUN later as in my example, the original network namespace would be returned, but the network interface isn't there anymore. The network namespace handling in tun.c looks slightly odd to me in places, especially when the stored original netns is passed but then ignored...

– TheDiveO
Mar 7 at 22:08













"SIOCGSKNS ... returns the network namespace which was originally active when /dev/net/tun was opened." that is unfortunately true ;-( wrong call, then.

– mosvy
Mar 7 at 23:30





"SIOCGSKNS ... returns the network namespace which was originally active when /dev/net/tun was opened." that is unfortunately true ;-( wrong call, then.

– mosvy
Mar 7 at 23:30

















draft saved

draft discarded
















































Thanks for contributing an answer to Unix & Linux Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f504861%2fhow-to-get-the-linux-network-namespace-for-a-tap-tun-device-referenced-in-proc%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown






-

Popular posts from this blog

Peggy Mitchell

Image
EastEnders character This article is about the soap opera character. For the British tennis player, see Peggy Michell. For the author, see Margaret Mitchell. Peggy Mitchell Barbara Windsor as Peggy Mitchell (2008) EastEnders character Portrayed by Jo Warne (1991) Barbara Windsor (1994–2016) Duration 1991, 1994–2010, 2013–2016 First appearance Episode 650 30 April 1991  ( 1991-04-30 ) Last appearance Episode 5286 17 May 2016  ( 2016-05-17 ) (appearance) Episode 5287 19 May 2016 (voiceover) Introduced by Michael Ferguson (1991) Barbara Emile (1994) Louise Berridge (2004) Kate Harwood (2005) Lorraine Newman (2013) Dominic Treadwell-Collins (2014) Spin-off appearances The Mitchells - Naked Truths (1998) Classification Former; regular Profile Other names Peggy Butcher Occupation Barmaid Businesswoman Pub landlady Jo Warne as Peggy Mitchell (1991) Family Family Mitchell Father Jack Martin Mother Lily Martin Sisters Aunt ...
Read more

Palaiologos

Image
Palaiologos Παλαιολόγος Palaeologus, Palaeologue Imperial Family Double-headed eagle with the family cypher Country Byzantine Empire, Duchy of Montferrat (remaining lineage after Empire annexed by Ottomans) Founded 11th century  ( 11th century ) Founder Nikephoros Palaiologos (first known) Final ruler Constantine XI Palaiologos (Byzantine Empire) Margaret Paleologa (Montferrat) Titles Byzantine Emperor Marquess of Montferrat Style(s) "Augustus" "Basileus" "Autokrator" Traditions Greek Orthodoxy (predominantly) Roman Catholicism (remaining lineage in Montferrat) Dissolution 1533  ( 1533 ) Cadet branches Claimants: House of Kastrioti (defunct) House of Rurik (defunct) Palaiologan dynasty Chronology Michael VIII 1259–1282 with Andronikos II as co-emperor, 1261–1282 Andronikos II 1282–1328 with Michael IX (1294–1320) and Andronikos III (1321–1328) as co-emperors Andronikos III 1328–1341 John...
Read more

The Forum (Inglewood, California)

Image
The Forum "LA Forum" Prairie Ave. façade of The Forum in 2014 Full name The Forum, presented by Chase Former names The Forum (1967–1988) Great Western Forum (1988–2003) Address 3900 W. Manchester Blvd Location Inglewood, California Coordinates Coordinates: 33°57′29″N 118°20′31″W  /  33.95806°N 118.34194°W  / 33.95806; -118.34194 Public transit     Downtown Inglewood station Owner The Madison Square Garden Company Operator MSG Entertainment Seating type Reserved Capacity 17,500 Half-bowl: 8,000 Construction Broke ground July 1, 1966  ( 1966-07-01 ) Opened December 30, 1967  ( 1967-12-30 ) Renovated 1988, 2012–2014 Construction cost $16 million Renovation: 2014: $76.5 million Architect Charles Luckman Associates (original) Brisbin Brook Beynon (renovation) Structural engineer Johnson & Nielsen Associates (original) Severud Associates (renovation) Genera...
Read more