Bug#884641: ITP: lwip -- small implementation of the TCP/IP protocol suite
Ben Hutchings, on mar. 19 déc. 2017 03:37:03 +0000, wrote:
> On Mon, 2017-12-18 at 01:44 +0100, Samuel Thibault wrote:
> > Ben Hutchings, on lun. 18 déc. 2017 00:37:48 +0000, wrote:
> > > On Mon, 2017-12-18 at 00:12 +0100, Samuel Thibault wrote:
> > > > It can be used as a maintained user-land TCP/IP stack.
> > >
> > > Why would this be useful for Debian systems, which already have a much
> > > better performing TCP/IP stack?
> >
> > But the kernel-provided stack can't be manipulated by userland for
> > e.g. VPNs, ppp, etc. without having to be root.
> [...]
>
> Not quite. On Linux you need CAP_NET_ADMIN in some user namespace.
Which is not so much more available.
> (In Debian this feature is guarded by a sysctl that's off by default,
> as a security mitigation.)
And thus is not generally available in installed systems.
> Even if that's disabled, a privileged container manager can create a
> new user namespace and start a container within that namespace with the
> CAP_NET_ADMIN capability.
Which doesn't usually happen on installed systems. I won't event try,
I'm sure admins of my work clusters will refuse to enable this, for fear
of the security consequences.
> To use lwip you would presumably need raw access to a network device,
> which also requires a privileged capability.
Not if it's a vpn or ppp over USB, etc., precisely.
It is exactly the kind of reason why qemu's user-land TCP/IP stack is
the default.
Samuel
Reply to: