Message ID | 20190624132923.16792-1-christian@brauner.io |
---|---|
State | Accepted |
Delegated to: | David Miller |
Headers | show |
Series | [net-next] ipv4: enable route flushing in network namespaces | expand |
On 6/24/19 7:29 AM, Christian Brauner wrote: > Tools such as vpnc try to flush routes when run inside network > namespaces by writing 1 into /proc/sys/net/ipv4/route/flush. This > currently does not work because flush is not enabled in non-initial > network namespaces. > Since routes are per network namespace it is safe to enable > /proc/sys/net/ipv4/route/flush in there. > > Link: https://github.com/lxc/lxd/issues/4257 > Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com> > --- > net/ipv4/route.c | 12 ++++++++---- > 1 file changed, 8 insertions(+), 4 deletions(-) > why not teach vpnc to use rtnetlink and then add a flush option to RTM_DELROUTE?
On June 24, 2019 9:49:33 PM GMT+02:00, David Ahern <dsahern@gmail.com> wrote: >On 6/24/19 7:29 AM, Christian Brauner wrote: >> Tools such as vpnc try to flush routes when run inside network >> namespaces by writing 1 into /proc/sys/net/ipv4/route/flush. This >> currently does not work because flush is not enabled in non-initial >> network namespaces. >> Since routes are per network namespace it is safe to enable >> /proc/sys/net/ipv4/route/flush in there. >> >> Link: https://github.com/lxc/lxd/issues/4257 >> Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com> >> --- >> net/ipv4/route.c | 12 ++++++++---- >> 1 file changed, 8 insertions(+), 4 deletions(-) >> > >why not teach vpnc to use rtnetlink and then add a flush option to >RTM_DELROUTE? I think that if you can do it unprivileged through netlink you should also allow it through sysctls. Even the original commit references it to make it possible to enable the sysctls 1-by-1 as needed.
From: Christian Brauner <christian@brauner.io> Date: Mon, 24 Jun 2019 15:29:23 +0200 > Tools such as vpnc try to flush routes when run inside network > namespaces by writing 1 into /proc/sys/net/ipv4/route/flush. This > currently does not work because flush is not enabled in non-initial > network namespaces. > Since routes are per network namespace it is safe to enable > /proc/sys/net/ipv4/route/flush in there. > > Link: https://github.com/lxc/lxd/issues/4257 > Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com> Applied.
diff --git a/net/ipv4/route.c b/net/ipv4/route.c index 6cb7cff22db9..41726e26cd5f 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -3197,9 +3197,11 @@ static struct ctl_table ipv4_route_table[] = { { } }; +static const char ipv4_route_flush_procname[] = "flush"; + static struct ctl_table ipv4_route_flush_table[] = { { - .procname = "flush", + .procname = ipv4_route_flush_procname, .maxlen = sizeof(int), .mode = 0200, .proc_handler = ipv4_sysctl_rtcache_flush, @@ -3217,9 +3219,11 @@ static __net_init int sysctl_route_net_init(struct net *net) if (!tbl) goto err_dup; - /* Don't export sysctls to unprivileged users */ - if (net->user_ns != &init_user_ns) - tbl[0].procname = NULL; + /* Don't export non-whitelisted sysctls to unprivileged users */ + if (net->user_ns != &init_user_ns) { + if (tbl[0].procname != ipv4_route_flush_procname) + tbl[0].procname = NULL; + } } tbl[0].extra1 = net;
Tools such as vpnc try to flush routes when run inside network namespaces by writing 1 into /proc/sys/net/ipv4/route/flush. This currently does not work because flush is not enabled in non-initial network namespaces. Since routes are per network namespace it is safe to enable /proc/sys/net/ipv4/route/flush in there. Link: https://github.com/lxc/lxd/issues/4257 Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com> --- net/ipv4/route.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-)