containers · Luap99 · Aug 1, 2025 · sourcery-ai · Aug 6, 2025
diff --git a/src/commands/setup.rs b/src/commands/setup.rs
@@ -160,8 +160,11 @@ impl Setup {
     }
 }
 
-fn teardown_drivers<'a, I>(drivers: I, host: &mut netlink::Socket, netns: &mut netlink::Socket)
-where
+fn teardown_drivers<'a, I>(
+    drivers: I,
+    host: &mut netlink::Socket,
+    netns: &mut netlink::Socket<netlink::ContainerNS>,
+) where
     I: Iterator<Item = &'a Box<dyn NetworkDriver + 'a>>,
 {
     for driver in drivers {

diff --git a/src/dhcp_proxy/ip.rs b/src/dhcp_proxy/ip.rs
@@ -34,8 +34,8 @@ trait Address<T> {
     fn new(l: &Lease, interface: &str) -> Result<Self, ProxyError>
     where
         Self: Sized;
-    fn add_ip(&self, nls: &mut Socket) -> Result<(), ProxyError>;
-    fn add_gws(&self, nls: &mut Socket) -> Result<(), ProxyError>;
+    fn add_ip(&self, nls: &mut Socket<netlink::ContainerNS>) -> Result<(), ProxyError>;
+    fn add_gws(&self, nls: &mut Socket<netlink::ContainerNS>) -> Result<(), ProxyError>;
 }
 
 fn handle_gws(g: Vec<String>, netmask: &str) -> Result<Vec<IpNet>, ProxyError> {
@@ -112,7 +112,7 @@ impl Address<Ipv4Addr> for MacVLAN {
     }
 
     //  add the ip address to the container namespace
-    fn add_ip(&self, nls: &mut Socket) -> Result<(), ProxyError> {
+    fn add_ip(&self, nls: &mut netlink::Socket<netlink::ContainerNS>) -> Result<(), ProxyError> {
         debug!("adding network information for {}", self.interface);
         let ip = IpNet::new(self.address, self.prefix_length)?;
         let dev = nls.get_link(netlink::LinkID::Name(self.interface.clone()))?;
@@ -123,7 +123,7 @@ impl Address<Ipv4Addr> for MacVLAN {
     }
 
     // add one or more routes to the container namespace
-    fn add_gws(&self, nls: &mut Socket) -> Result<(), ProxyError> {
+    fn add_gws(&self, nls: &mut Socket<netlink::ContainerNS>) -> Result<(), ProxyError> {
         debug!("adding gateways to {}", self.interface);
         match core_utils::add_default_routes(nls, &self.gateways, None) {
             Ok(_) => Ok(()),

diff --git a/src/network/bridge.rs b/src/network/bridge.rs
@@ -147,7 +147,10 @@ impl driver::NetworkDriver for Bridge<'_> {
 
     fn setup(
         &self,
-        netlink_sockets: (&mut netlink::Socket, &mut netlink::Socket),
+        netlink_sockets: (
+            &mut netlink::Socket,
+            &mut netlink::Socket<netlink::ContainerNS>,
+        ),
     ) -> NetavarkResult<(StatusBlock, Option<AardvarkEntry>)> {
         let data = match &self.data {
             Some(d) => d,
@@ -302,7 +305,10 @@ impl driver::NetworkDriver for Bridge<'_> {
 
     fn teardown(
         &self,
-        netlink_sockets: (&mut netlink::Socket, &mut netlink::Socket),
+        netlink_sockets: (
+            &mut netlink::Socket,
+            &mut netlink::Socket<netlink::ContainerNS>,
+        ),
     ) -> NetavarkResult<()> {
         let mode: Option<String> = parse_option(&self.info.network.options, OPTION_MODE)?;
         let mode = get_bridge_mode_from_string(mode.as_deref())?;
@@ -547,7 +553,7 @@ const IPV6_FORWARD: &str = "net/ipv6/conf/all/forwarding";
 /// returns the container veth mac address
 fn create_interfaces(
     host: &mut netlink::Socket,
-    netns: &mut netlink::Socket,
+    netns: &mut netlink::Socket<netlink::ContainerNS>,
     data: &InternalData,
     internal: bool,
     rootless: bool,
@@ -745,7 +751,7 @@ fn create_interfaces(
 #[allow(clippy::too_many_arguments)]
 fn create_veth_pair<'fd>(
     host: &mut netlink::Socket,
-    netns: &mut netlink::Socket,
+    netns: &mut netlink::Socket<netlink::ContainerNS>,
     data: &InternalData,
     primary_index: u32,
     bridge_mac: Option<Vec<u8>>,
@@ -992,7 +998,7 @@ fn check_link_is_vrf(msg: LinkMessage, vrf_name: &str) -> NetavarkResult<LinkMes
 
 fn remove_link(
     host: &mut netlink::Socket,
-    netns: &mut netlink::Socket,
+    netns: &mut netlink::Socket<netlink::ContainerNS>,
     mode: BridgeMode,
     br_name: &str,
     container_veth_name: &str,

diff --git a/src/network/core_utils.rs b/src/network/core_utils.rs
@@ -270,24 +270,27 @@ macro_rules! exec_netns {
     }};
 }
 
-pub struct NamespaceOptions {
+pub struct NamespaceOptions<N: netlink::Namespace> {
     /// Note we have to return the File object since the fd is only valid
     /// as long as the File object is valid
     pub file: File,
-    pub netlink: netlink::Socket,
+    pub netlink: netlink::Socket<N>,
 }
 
 pub fn open_netlink_sockets(
     netns_path: &str,
-) -> NetavarkResult<(NamespaceOptions, NamespaceOptions)> {
+) -> NetavarkResult<(
+    NamespaceOptions<netlink::HostNS>,
+    NamespaceOptions<netlink::ContainerNS>,
+)> {
     let netns = open_netlink_socket(netns_path).wrap("open container netns")?;
     let hostns = open_netlink_socket("/proc/self/ns/net").wrap("open host netns")?;
 
-    let host_socket = netlink::Socket::new().wrap("host netlink socket")?;
+    let host_socket = netlink::Socket::<netlink::HostNS>::new().wrap("host netlink socket")?;
     let netns_sock = exec_netns!(
         hostns.as_fd(),
         netns.as_fd(),
-        netlink::Socket::new().wrap("netns netlink socket")
+        netlink::Socket::<netlink::ContainerNS>::new().wrap("netns netlink socket")
     )?;
 
     Ok((
@@ -307,7 +310,7 @@ fn open_netlink_socket(netns_path: &str) -> NetavarkResult<File> {
 }
 
 pub fn add_default_routes(
-    sock: &mut netlink::Socket,
+    sock: &mut netlink::Socket<netlink::ContainerNS>,
     gws: &[ipnet::IpNet],
     metric: Option<u32>,
 ) -> NetavarkResult<()> {

diff --git a/src/network/dhcp.rs b/src/network/dhcp.rs
@@ -159,7 +159,10 @@ pub fn release_dhcp_lease(
     Ok(())
 }
 
-pub fn dhcp_teardown(info: &DriverInfo, sock: &mut netlink::Socket) -> NetavarkResult<()> {
+pub fn dhcp_teardown(
+    info: &DriverInfo,
+    sock: &mut netlink::Socket<netlink::ContainerNS>,
+) -> NetavarkResult<()> {
     let ipam = core_utils::get_ipam_addresses(info.per_network_opts, info.network)?;
     let if_name = info.per_network_opts.interface_name.clone();
 

diff --git a/src/network/driver.rs b/src/network/driver.rs
@@ -38,12 +38,18 @@ pub trait NetworkDriver {
     /// setup the network interfaces/firewall rules for this driver
     fn setup(
         &self,
-        netlink_sockets: (&mut netlink::Socket, &mut netlink::Socket),
+        netlink_sockets: (
+            &mut netlink::Socket,
+            &mut netlink::Socket<netlink::ContainerNS>,
+        ),
     ) -> NetavarkResult<(StatusBlock, Option<AardvarkEntry>)>;
     /// teardown the network interfaces/firewall rules for this driver
     fn teardown(
         &self,
-        netlink_sockets: (&mut netlink::Socket, &mut netlink::Socket),
+        netlink_sockets: (
+            &mut netlink::Socket,
+            &mut netlink::Socket<netlink::ContainerNS>,
+        ),
     ) -> NetavarkResult<()>;
 
     /// return the network name

diff --git a/src/network/netlink.rs b/src/network/netlink.rs
@@ -24,11 +24,22 @@ use netlink_packet_route::{
 };
 use netlink_sys::{protocols::NETLINK_ROUTE, SocketAddr};
 
-pub struct Socket {
+/// Marker trait for the Socket so we know it refers to either HostNS or ContainerNS.
+pub trait Namespace {}
+pub struct HostNS;
+pub struct ContainerNS;
+impl Namespace for HostNS {}
+impl Namespace for ContainerNS {}
+
+pub struct Socket<N: Namespace = HostNS> {
     socket: netlink_sys::Socket,
     sequence_number: u32,
     ///  buffer size for reading netlink messages, see NLMSG_GOODSIZE in the kernel
     buffer: [u8; 8192],
+
+    /// Marker for host or container namespace, allows functions to specify which netns
+    /// socket they need which then gets enforced at compile time without any runtime overhead.
+    _marker: std::marker::PhantomData<N>,
 }
 
 #[derive(Clone)]
@@ -110,8 +121,8 @@ macro_rules! function {
     }};
 }
 
-impl Socket {
-    pub fn new() -> NetavarkResult<Socket> {
+impl<N: Namespace> Socket<N> {
+    pub fn new() -> NetavarkResult<Socket<N>> {
         let mut socket = wrap!(netlink_sys::Socket::new(NETLINK_ROUTE), "open")?;
         let addr = &SocketAddr::new(0, 0);
         wrap!(socket.bind(addr), "bind")?;
@@ -121,6 +132,7 @@ impl Socket {
             socket,
             sequence_number: 0,
             buffer: [0; 8192],
+            _marker: std::marker::PhantomData,
         })
     }
 

diff --git a/src/network/plugin.rs b/src/network/plugin.rs
@@ -36,7 +36,10 @@ impl NetworkDriver for PluginDriver<'_> {
 
     fn setup(
         &self,
-        _netlink_sockets: (&mut super::netlink::Socket, &mut super::netlink::Socket),
+        _netlink_sockets: (
+            &mut super::netlink::Socket,
+            &mut super::netlink::Socket<super::netlink::ContainerNS>,
+        ),
     ) -> NetavarkResult<(types::StatusBlock, Option<AardvarkEntry>)> {
         let result = self.exec_plugin(true, self.info.netns_path).wrap(format!(
             "plugin {:?} failed",
@@ -49,7 +52,10 @@ impl NetworkDriver for PluginDriver<'_> {
 
     fn teardown(
         &self,
-        _netlink_sockets: (&mut super::netlink::Socket, &mut super::netlink::Socket),
+        _netlink_sockets: (
+            &mut super::netlink::Socket,
+            &mut super::netlink::Socket<super::netlink::ContainerNS>,
+        ),
     ) -> NetavarkResult<()> {
         self.exec_plugin(false, self.info.netns_path).wrap(format!(
             "plugin {:?} failed",

diff --git a/src/network/vlan.rs b/src/network/vlan.rs
@@ -145,7 +145,10 @@ impl driver::NetworkDriver for Vlan<'_> {
 
     fn setup(
         &self,
-        netlink_sockets: (&mut netlink::Socket, &mut netlink::Socket),
+        netlink_sockets: (
+            &mut netlink::Socket,
+            &mut netlink::Socket<netlink::ContainerNS>,
+        ),
     ) -> Result<(StatusBlock, Option<AardvarkEntry>), NetavarkError> {
         let data = match &self.data {
             Some(d) => d,
@@ -218,7 +221,10 @@ impl driver::NetworkDriver for Vlan<'_> {
 
     fn teardown(
         &self,
-        netlink_sockets: (&mut netlink::Socket, &mut netlink::Socket),
+        netlink_sockets: (
+            &mut netlink::Socket,
+            &mut netlink::Socket<netlink::ContainerNS>,
+        ),
     ) -> NetavarkResult<()> {
         dhcp_teardown(&self.info, netlink_sockets.1)?;
 
@@ -236,7 +242,7 @@ impl driver::NetworkDriver for Vlan<'_> {
 
 fn setup(
     host: &mut netlink::Socket,
-    netns: &mut netlink::Socket,
+    netns: &mut netlink::Socket<netlink::ContainerNS>,
     if_name: &str,
     data: &InternalData,
     hostns_fd: BorrowedFd<'_>,

diff --git a/src/test/netlink.rs b/src/test/netlink.rs
@@ -28,13 +28,16 @@ mod tests {
     #[test]
     fn test_socket_new() {
         test_setup!();
-        assert!(Socket::new().is_ok(), "Netlink Socket::new() should work");
+        assert!(
+            Socket::<HostNS>::new().is_ok(),
+            "Netlink Socket::<HostNS>::new() should work"
+        );
     }
 
     #[test]
     fn test_add_link() {
         test_setup!();
-        let mut sock = Socket::new().expect("Socket::new()");
+        let mut sock = Socket::<HostNS>::new().expect("Socket::<HostNS>::new()");
 
         let name = String::from("test1");
         sock.create_link(CreateLinkOptions::new(name.clone(), InfoKind::Dummy))
@@ -49,7 +52,7 @@ mod tests {
     #[test]
     fn test_add_addr() {
         test_setup!();
-        let mut sock = Socket::new().expect("Socket::new()");
+        let mut sock = Socket::<HostNS>::new().expect("Socket::<HostNS>::new()");
 
         let out = run_command!("ip", "link", "add", "test1", "type", "dummy");
         eprintln!("{}", String::from_utf8(out.stderr).unwrap());
@@ -72,7 +75,7 @@ mod tests {
     #[test]
     fn test_del_addr() {
         test_setup!();
-        let mut sock = Socket::new().expect("Socket::new()");
+        let mut sock = Socket::<HostNS>::new().expect("Socket::<HostNS>::new()");
 
         let out = run_command!("ip", "link", "add", "test1", "type", "dummy");
         eprintln!("{}", String::from_utf8(out.stderr).unwrap());
@@ -110,7 +113,7 @@ mod tests {
     #[ignore]
     fn test_del_route() {
         test_setup!();
-        let mut sock = Socket::new().expect("Socket::new()");
+        let mut sock = Socket::<HostNS>::new().expect("Socket::<HostNS>::new()");
 
         let out = run_command!("ip", "link", "add", "test1", "type", "dummy");
         eprintln!("{}", String::from_utf8(out.stderr).unwrap());
@@ -159,7 +162,7 @@ mod tests {
     #[test]
     fn test_dump_addr() {
         test_setup!();
-        let mut sock = Socket::new().expect("Socket::new()");
+        let mut sock = Socket::<HostNS>::new().expect("Socket::<HostNS>::new()");
 
         let out = run_command!("ip", "link", "add", "test1", "type", "dummy");
         eprintln!("{}", String::from_utf8(out.stderr).unwrap());