[v1,SRU,Disco] ipv4: enable route flushing in network namespaces
diff mbox series

Message ID 20190906151958.21340-1-christian.brauner@ubuntu.com
State New
Headers show
Series
  • [v1,SRU,Disco] ipv4: enable route flushing in network namespaces
Related show

Commit Message

Christian Brauner Sept. 6, 2019, 3:19 p.m. UTC
BugLink: https://bugs.launchpad.net/bugs/1836912

Tools such as vpnc try to flush routes when run inside network
namespaces by writing 1 into /proc/sys/net/ipv4/route/flush. This
currently does not work because flush is not enabled in non-initial
network namespaces.
Since routes are per network namespace it is safe to enable
/proc/sys/net/ipv4/route/flush in there.

Link: https://github.com/lxc/lxd/issues/4257
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 5cdda5f1d6adde02da591ca2196f20289977dc56)
---
 net/ipv4/route.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

Patch
diff mbox series

diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 3c89ca325947..4b1ec9710a32 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -3077,9 +3077,11 @@  static struct ctl_table ipv4_route_table[] = {
 	{ }
 };
 
+static const char ipv4_route_flush_procname[] = "flush";
+
 static struct ctl_table ipv4_route_flush_table[] = {
 	{
-		.procname	= "flush",
+		.procname	= ipv4_route_flush_procname,
 		.maxlen		= sizeof(int),
 		.mode		= 0200,
 		.proc_handler	= ipv4_sysctl_rtcache_flush,
@@ -3097,9 +3099,11 @@  static __net_init int sysctl_route_net_init(struct net *net)
 		if (!tbl)
 			goto err_dup;
 
-		/* Don't export sysctls to unprivileged users */
-		if (net->user_ns != &init_user_ns)
-			tbl[0].procname = NULL;
+		/* Don't export non-whitelisted sysctls to unprivileged users */
+		if (net->user_ns != &init_user_ns) {
+			if (tbl[0].procname != ipv4_route_flush_procname)
+				tbl[0].procname = NULL;
+		}
 	}
 	tbl[0].extra1 = net;