ipset is accessible from other namespaces

Issue

Network namespaces in the Linux kernel is supposed to create completely separate stacks, such that ipset and iptable configurations are unique to that namespace. It should not visible from other network namespaces. However, this is currently not the case. ipset is currently accessible from other namespaces.

From the default network namespace, create an ipset named test_ipset.

[root@server1]# ipset create test_ipset list:set
[root@server1]# ipset list test_ipset
Name: test_ipset
Type: list:set
Revision: 1
Header: size 8
Size in memory: 128
References: 0
Members:

Now, create a new network namespace named testing_network_namespace.

[root@server1]# ip netns add testing_network_namespace

Output below shows testing_namework_namespace can see test_ipset when it shouldn't be able to.

[root@server1]# ip netns exec testing_network_namespace ipset list test_ipset
Name: test_ipset
Type: list:set
Revision: 1
Header: size 8
Size in memory: 128
References: 0
Members:

Environment

Red Hat Enterprise Linux (RHEL) 7.3 and earlier
ipset
kernel

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

New to Red Hat?

Learn more about Red Hat subscriptions

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories