From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mike Manning Subject: [PATCH net-next v3 4/9] net: provide a sysctl raw_l3mdev_accept for raw socket lookup with VRFs Date: Thu, 4 Oct 2018 16:12:09 +0100 Message-ID: <20181004151214.8522-5-mmanning@vyatta.att-mail.com> References: <20181004151214.8522-1-mmanning@vyatta.att-mail.com> To: netdev@vger.kernel.org Return-path: Received: from mx0a-00191d01.pphosted.com ([67.231.149.140]:35746 "EHLO mx0a-00191d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727561AbeJDWHK (ORCPT ); Thu, 4 Oct 2018 18:07:10 -0400 Received: from pps.filterd (m0049287.ppops.net [127.0.0.1]) by m0049287.ppops.net-00191d01. (8.16.0.22/8.16.0.22) with SMTP id w94F9p03013903 for ; Thu, 4 Oct 2018 11:13:26 -0400 Received: from tlpd255.enaf.dadc.sbc.com (sbcsmtp3.sbc.com [144.160.112.28]) by m0049287.ppops.net-00191d01. with ESMTP id 2mwjsmn9x4-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 04 Oct 2018 11:13:23 -0400 Received: from enaf.dadc.sbc.com (localhost [127.0.0.1]) by tlpd255.enaf.dadc.sbc.com (8.14.5/8.14.5) with ESMTP id w94FCcJ8129103 for ; Thu, 4 Oct 2018 10:12:39 -0500 Received: from zlp30494.vci.att.com (zlp30494.vci.att.com [135.46.181.159]) by tlpd255.enaf.dadc.sbc.com (8.14.5/8.14.5) with ESMTP id w94FCVfF128807 for ; Thu, 4 Oct 2018 10:12:31 -0500 Received: from zlp30494.vci.att.com (zlp30494.vci.att.com [127.0.0.1]) by zlp30494.vci.att.com (Service) with ESMTP id 93624400048E for ; Thu, 4 Oct 2018 15:12:31 +0000 (GMT) Received: from clpi183.sldc.sbc.com (unknown [135.41.1.46]) by zlp30494.vci.att.com (Service) with ESMTP id 75B61400069E for ; Thu, 4 Oct 2018 15:12:31 +0000 (GMT) Received: from sldc.sbc.com (localhost [127.0.0.1]) by clpi183.sldc.sbc.com (8.14.5/8.14.5) with ESMTP id w94FCUsK015549 for ; Thu, 4 Oct 2018 10:12:31 -0500 Received: from mail.eng.vyatta.net (mail.eng.vyatta.net [10.156.50.82]) by clpi183.sldc.sbc.com (8.14.5/8.14.5) with ESMTP id w94FCQrp015225 for ; Thu, 4 Oct 2018 10:12:26 -0500 Received: from MM-7520.vyatta.net (unknown [10.156.47.144]) by mail.eng.vyatta.net (Postfix) with ESMTPA id 9985F36033D for ; Thu, 4 Oct 2018 08:12:25 -0700 (PDT) In-Reply-To: <20181004151214.8522-1-mmanning@vyatta.att-mail.com> Sender: netdev-owner@vger.kernel.org List-ID: Add a sysctl raw_l3mdev_accept to control raw socket lookup in a manner similar to use of tcp_l3mdev_accept for stream and of udp_l3mdev_accept for datagram sockets. Have this default to off as this is what users expect, given that there is no explicit mechanism to set unmodified VRF-unaware application into a default VRF. Signed-off-by: Mike Manning --- Documentation/networking/ip-sysctl.txt | 9 +++++++++ Documentation/networking/vrf.txt | 8 +++++--- include/net/netns/ipv4.h | 3 +++ net/ipv4/sysctl_net_ipv4.c | 11 +++++++++++ 4 files changed, 28 insertions(+), 3 deletions(-) diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt index 8313a636dd53..a46be4a5b7a0 100644 --- a/Documentation/networking/ip-sysctl.txt +++ b/Documentation/networking/ip-sysctl.txt @@ -788,6 +788,15 @@ udp_wmem_min - INTEGER total pages of UDP sockets exceed udp_mem pressure. The unit is byte. Default: 4K +RAW variables: + +raw_l3mdev_accept - BOOLEAN + Enabling this option allows a "global" bound socket to work + across L3 master domains (e.g., VRFs) with packets capable of + being received regardless of the L3 domain in which they + originated. Only valid when the kernel was compiled with + CONFIG_NET_L3_MASTER_DEV. + CIPSOv4 Variables: cipso_cache_enable - BOOLEAN diff --git a/Documentation/networking/vrf.txt b/Documentation/networking/vrf.txt index d4b129402d57..deb798342f1e 100644 --- a/Documentation/networking/vrf.txt +++ b/Documentation/networking/vrf.txt @@ -108,11 +108,13 @@ limited to the default VRF. That is, it will not be matched by packets arriving on interfaces enslaved to an l3mdev and processes may bind to the same port if they bind to an l3mdev. -TCP & UDP services running in the default VRF context (ie., not bound -to any VRF device) can work across all VRF domains by enabling the -tcp_l3mdev_accept and udp_l3mdev_accept sysctl options: +TCP & UDP services & services using RAW sockets that are running in the +default VRF context (ie., not bound to any VRF device) can work across +all VRF domains by enabling the tcp_l3mdev_accept, udp_l3mdev_accept and +raw_l3mdev_accept sysctl options: sysctl -w net.ipv4.tcp_l3mdev_accept=1 sysctl -w net.ipv4.udp_l3mdev_accept=1 + sysctl -w net.ipv4.raw_l3mdev_accept=1 netfilter rules on the VRF device can be used to limit access to services running in the default VRF context as well. diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h index e47503b4e4d1..104a6669e344 100644 --- a/include/net/netns/ipv4.h +++ b/include/net/netns/ipv4.h @@ -103,6 +103,9 @@ struct netns_ipv4 { /* Shall we try to damage output packets if routing dev changes? */ int sysctl_ip_dynaddr; int sysctl_ip_early_demux; +#ifdef CONFIG_NET_L3_MASTER_DEV + int sysctl_raw_l3mdev_accept; +#endif int sysctl_tcp_early_demux; int sysctl_udp_early_demux; diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c index b92f422f2fa8..d173337040ee 100644 --- a/net/ipv4/sysctl_net_ipv4.c +++ b/net/ipv4/sysctl_net_ipv4.c @@ -601,6 +601,17 @@ static struct ctl_table ipv4_net_table[] = { .mode = 0644, .proc_handler = ipv4_ping_group_range, }, +#ifdef CONFIG_NET_L3_MASTER_DEV + { + .procname = "raw_l3mdev_accept", + .data = &init_net.ipv4.sysctl_raw_l3mdev_accept, + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = proc_dointvec_minmax, + .extra1 = &zero, + .extra2 = &one, + }, +#endif { .procname = "tcp_ecn", .data = &init_net.ipv4.sysctl_tcp_ecn, -- 2.11.0