* [PATCH net-next] ipv4: enable route flushing in network namespaces
@ 2019-06-24 13:29 Christian Brauner
2019-06-24 19:49 ` David Ahern
2019-06-28 21:34 ` David Miller
0 siblings, 2 replies; 4+ messages in thread
From: Christian Brauner @ 2019-06-24 13:29 UTC (permalink / raw)
To: davem, kuznet, yoshfuji, netdev; +Cc: linux-kernel, Christian Brauner
Tools such as vpnc try to flush routes when run inside network
namespaces by writing 1 into /proc/sys/net/ipv4/route/flush. This
currently does not work because flush is not enabled in non-initial
network namespaces.
Since routes are per network namespace it is safe to enable
/proc/sys/net/ipv4/route/flush in there.
Link: https://github.com/lxc/lxd/issues/4257
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---
net/ipv4/route.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 6cb7cff22db9..41726e26cd5f 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -3197,9 +3197,11 @@ static struct ctl_table ipv4_route_table[] = {
{ }
};
+static const char ipv4_route_flush_procname[] = "flush";
+
static struct ctl_table ipv4_route_flush_table[] = {
{
- .procname = "flush",
+ .procname = ipv4_route_flush_procname,
.maxlen = sizeof(int),
.mode = 0200,
.proc_handler = ipv4_sysctl_rtcache_flush,
@@ -3217,9 +3219,11 @@ static __net_init int sysctl_route_net_init(struct net *net)
if (!tbl)
goto err_dup;
- /* Don't export sysctls to unprivileged users */
- if (net->user_ns != &init_user_ns)
- tbl[0].procname = NULL;
+ /* Don't export non-whitelisted sysctls to unprivileged users */
+ if (net->user_ns != &init_user_ns) {
+ if (tbl[0].procname != ipv4_route_flush_procname)
+ tbl[0].procname = NULL;
+ }
}
tbl[0].extra1 = net;
--
2.22.0
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH net-next] ipv4: enable route flushing in network namespaces
2019-06-24 13:29 [PATCH net-next] ipv4: enable route flushing in network namespaces Christian Brauner
@ 2019-06-24 19:49 ` David Ahern
2019-06-24 19:59 ` Christian Brauner
2019-06-28 21:34 ` David Miller
1 sibling, 1 reply; 4+ messages in thread
From: David Ahern @ 2019-06-24 19:49 UTC (permalink / raw)
To: Christian Brauner, davem, kuznet, yoshfuji, netdev; +Cc: linux-kernel
On 6/24/19 7:29 AM, Christian Brauner wrote:
> Tools such as vpnc try to flush routes when run inside network
> namespaces by writing 1 into /proc/sys/net/ipv4/route/flush. This
> currently does not work because flush is not enabled in non-initial
> network namespaces.
> Since routes are per network namespace it is safe to enable
> /proc/sys/net/ipv4/route/flush in there.
>
> Link: https://github.com/lxc/lxd/issues/4257
> Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
> ---
> net/ipv4/route.c | 12 ++++++++----
> 1 file changed, 8 insertions(+), 4 deletions(-)
>
why not teach vpnc to use rtnetlink and then add a flush option to
RTM_DELROUTE?
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH net-next] ipv4: enable route flushing in network namespaces
2019-06-24 19:49 ` David Ahern
@ 2019-06-24 19:59 ` Christian Brauner
0 siblings, 0 replies; 4+ messages in thread
From: Christian Brauner @ 2019-06-24 19:59 UTC (permalink / raw)
To: David Ahern, davem, kuznet, yoshfuji, netdev; +Cc: linux-kernel
On June 24, 2019 9:49:33 PM GMT+02:00, David Ahern <dsahern@gmail.com> wrote:
>On 6/24/19 7:29 AM, Christian Brauner wrote:
>> Tools such as vpnc try to flush routes when run inside network
>> namespaces by writing 1 into /proc/sys/net/ipv4/route/flush. This
>> currently does not work because flush is not enabled in non-initial
>> network namespaces.
>> Since routes are per network namespace it is safe to enable
>> /proc/sys/net/ipv4/route/flush in there.
>>
>> Link: https://github.com/lxc/lxd/issues/4257
>> Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
>> ---
>> net/ipv4/route.c | 12 ++++++++----
>> 1 file changed, 8 insertions(+), 4 deletions(-)
>>
>
>why not teach vpnc to use rtnetlink and then add a flush option to
>RTM_DELROUTE?
I think that if you can do it unprivileged through netlink
you should also allow it through sysctls.
Even the original commit references it
to make it possible to enable the sysctls
1-by-1 as needed.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH net-next] ipv4: enable route flushing in network namespaces
2019-06-24 13:29 [PATCH net-next] ipv4: enable route flushing in network namespaces Christian Brauner
2019-06-24 19:49 ` David Ahern
@ 2019-06-28 21:34 ` David Miller
1 sibling, 0 replies; 4+ messages in thread
From: David Miller @ 2019-06-28 21:34 UTC (permalink / raw)
To: christian; +Cc: kuznet, yoshfuji, netdev, linux-kernel
From: Christian Brauner <christian@brauner.io>
Date: Mon, 24 Jun 2019 15:29:23 +0200
> Tools such as vpnc try to flush routes when run inside network
> namespaces by writing 1 into /proc/sys/net/ipv4/route/flush. This
> currently does not work because flush is not enabled in non-initial
> network namespaces.
> Since routes are per network namespace it is safe to enable
> /proc/sys/net/ipv4/route/flush in there.
>
> Link: https://github.com/lxc/lxd/issues/4257
> Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Applied.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-06-28 21:34 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-06-24 13:29 [PATCH net-next] ipv4: enable route flushing in network namespaces Christian Brauner
2019-06-24 19:49 ` David Ahern
2019-06-24 19:59 ` Christian Brauner
2019-06-28 21:34 ` David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).