| Message ID | 20190906130344.6531-1-christian.brauner@ubuntu.com |
|---|---|
| State | New |
| Headers | show |
| Series | [SRU,Disco] ipv4: enable route flushing in network namespaces | expand |
On 06.09.19 15:03, Christian Brauner wrote: > BugLink: https://bugs.launchpad.net/bugs/1836912 > > Tools such as vpnc try to flush routes when run inside network > namespaces by writing 1 into /proc/sys/net/ipv4/route/flush. This > currently does not work because flush is not enabled in non-initial > network namespaces. > Since routes are per network namespace it is safe to enable > /proc/sys/net/ipv4/route/flush in there. > > Link: https://github.com/lxc/lxd/issues/4257 > Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com> > Signed-off-by: David S. Miller <davem@davemloft.net> From (cherry picked/backported)? Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com> > --- > net/ipv4/route.c | 12 ++++++++---- > 1 file changed, 8 insertions(+), 4 deletions(-) > > diff --git a/net/ipv4/route.c b/net/ipv4/route.c > index 3c89ca325947..4b1ec9710a32 100644 > --- a/net/ipv4/route.c > +++ b/net/ipv4/route.c > @@ -3077,9 +3077,11 @@ static struct ctl_table ipv4_route_table[] = { > { } > }; > > +static const char ipv4_route_flush_procname[] = "flush"; > + > static struct ctl_table ipv4_route_flush_table[] = { > { > - .procname = "flush", > + .procname = ipv4_route_flush_procname, > .maxlen = sizeof(int), > .mode = 0200, > .proc_handler = ipv4_sysctl_rtcache_flush, > @@ -3097,9 +3099,11 @@ static __net_init int sysctl_route_net_init(struct net *net) > if (!tbl) > goto err_dup; > > - /* Don't export sysctls to unprivileged users */ > - if (net->user_ns != &init_user_ns) > - tbl[0].procname = NULL; > + /* Don't export non-whitelisted sysctls to unprivileged users */ > + if (net->user_ns != &init_user_ns) { > + if (tbl[0].procname != ipv4_route_flush_procname) > + tbl[0].procname = NULL; > + } > } > tbl[0].extra1 = net; > >
On 2019-09-25 10:47:29, Stefan Bader wrote: > On 06.09.19 15:03, Christian Brauner wrote: > > BugLink: https://bugs.launchpad.net/bugs/1836912 > > > > Tools such as vpnc try to flush routes when run inside network > > namespaces by writing 1 into /proc/sys/net/ipv4/route/flush. This > > currently does not work because flush is not enabled in non-initial > > network namespaces. > > Since routes are per network namespace it is safe to enable > > /proc/sys/net/ipv4/route/flush in there. > > > > Link: https://github.com/lxc/lxd/issues/4257 > > Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com> > > Signed-off-by: David S. Miller <davem@davemloft.net> > > From (cherry picked/backported)? Christian sent a second version of this patch that contained the cherry picked line: https://lists.ubuntu.com/archives/kernel-team/2019-September/103672.html I've already given my ack to that patch so lets just nack this one. > Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com> I'll expand on this part of Stefan's request since it might not be obvious. Christian, we always inject our Signed-off-by line when submitting a patch for inclusion in Ubuntu kernels. This is true even for patches where you are the upstream author. The easiest way to get this right is to use the following command: $ git cherry-pick -xse <commit> It adds a "(cherry picked from commit <commit>)" line and also adds your S-O-B. One notable exception to this rule is when you have to make adjustments to the patch in order to get it to apply. In that case, you must manually change the words "cherry picked" to "backported" resulting in "(backported from commit <commit>)". Tyler > > > --- > > net/ipv4/route.c | 12 ++++++++---- > > 1 file changed, 8 insertions(+), 4 deletions(-) > > > > diff --git a/net/ipv4/route.c b/net/ipv4/route.c > > index 3c89ca325947..4b1ec9710a32 100644 > > --- a/net/ipv4/route.c > > +++ b/net/ipv4/route.c > > @@ -3077,9 +3077,11 @@ static struct ctl_table ipv4_route_table[] = { > > { } > > }; > > > > +static const char ipv4_route_flush_procname[] = "flush"; > > + > > static struct ctl_table ipv4_route_flush_table[] = { > > { > > - .procname = "flush", > > + .procname = ipv4_route_flush_procname, > > .maxlen = sizeof(int), > > .mode = 0200, > > .proc_handler = ipv4_sysctl_rtcache_flush, > > @@ -3097,9 +3099,11 @@ static __net_init int sysctl_route_net_init(struct net *net) > > if (!tbl) > > goto err_dup; > > > > - /* Don't export sysctls to unprivileged users */ > > - if (net->user_ns != &init_user_ns) > > - tbl[0].procname = NULL; > > + /* Don't export non-whitelisted sysctls to unprivileged users */ > > + if (net->user_ns != &init_user_ns) { > > + if (tbl[0].procname != ipv4_route_flush_procname) > > + tbl[0].procname = NULL; > > + } > > } > > tbl[0].extra1 = net; > > > > > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
diff --git a/net/ipv4/route.c b/net/ipv4/route.c index 3c89ca325947..4b1ec9710a32 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -3077,9 +3077,11 @@ static struct ctl_table ipv4_route_table[] = { { } }; +static const char ipv4_route_flush_procname[] = "flush"; + static struct ctl_table ipv4_route_flush_table[] = { { - .procname = "flush", + .procname = ipv4_route_flush_procname, .maxlen = sizeof(int), .mode = 0200, .proc_handler = ipv4_sysctl_rtcache_flush, @@ -3097,9 +3099,11 @@ static __net_init int sysctl_route_net_init(struct net *net) if (!tbl) goto err_dup; - /* Don't export sysctls to unprivileged users */ - if (net->user_ns != &init_user_ns) - tbl[0].procname = NULL; + /* Don't export non-whitelisted sysctls to unprivileged users */ + if (net->user_ns != &init_user_ns) { + if (tbl[0].procname != ipv4_route_flush_procname) + tbl[0].procname = NULL; + } } tbl[0].extra1 = net;