[PATCH][SRU][Disco] ipv4: enable route flushing in network namespaces

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[PATCH][SRU][Disco] ipv4: enable route flushing in network namespaces

Christian Brauner-3
BugLink: https://bugs.launchpad.net/bugs/1836912

Tools such as vpnc try to flush routes when run inside network
namespaces by writing 1 into /proc/sys/net/ipv4/route/flush. This
currently does not work because flush is not enabled in non-initial
network namespaces.
Since routes are per network namespace it is safe to enable
/proc/sys/net/ipv4/route/flush in there.

Link: https://github.com/lxc/lxd/issues/4257
Signed-off-by: Christian Brauner <[hidden email]>
Signed-off-by: David S. Miller <[hidden email]>
---
 net/ipv4/route.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 3c89ca325947..4b1ec9710a32 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -3077,9 +3077,11 @@ static struct ctl_table ipv4_route_table[] = {
  { }
 };
 
+static const char ipv4_route_flush_procname[] = "flush";
+
 static struct ctl_table ipv4_route_flush_table[] = {
  {
- .procname = "flush",
+ .procname = ipv4_route_flush_procname,
  .maxlen = sizeof(int),
  .mode = 0200,
  .proc_handler = ipv4_sysctl_rtcache_flush,
@@ -3097,9 +3099,11 @@ static __net_init int sysctl_route_net_init(struct net *net)
  if (!tbl)
  goto err_dup;
 
- /* Don't export sysctls to unprivileged users */
- if (net->user_ns != &init_user_ns)
- tbl[0].procname = NULL;
+ /* Don't export non-whitelisted sysctls to unprivileged users */
+ if (net->user_ns != &init_user_ns) {
+ if (tbl[0].procname != ipv4_route_flush_procname)
+ tbl[0].procname = NULL;
+ }
  }
  tbl[0].extra1 = net;
 
--
2.23.0


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH][SRU][Disco] ipv4: enable route flushing in network namespaces

Stefan Bader-2
On 06.09.19 15:03, Christian Brauner wrote:

> BugLink: https://bugs.launchpad.net/bugs/1836912
>
> Tools such as vpnc try to flush routes when run inside network
> namespaces by writing 1 into /proc/sys/net/ipv4/route/flush. This
> currently does not work because flush is not enabled in non-initial
> network namespaces.
> Since routes are per network namespace it is safe to enable
> /proc/sys/net/ipv4/route/flush in there.
>
> Link: https://github.com/lxc/lxd/issues/4257
> Signed-off-by: Christian Brauner <[hidden email]>
> Signed-off-by: David S. Miller <[hidden email]>
From (cherry picked/backported)?
Signed-off-by: Christian Brauner <[hidden email]>

> ---
>  net/ipv4/route.c | 12 ++++++++----
>  1 file changed, 8 insertions(+), 4 deletions(-)
>
> diff --git a/net/ipv4/route.c b/net/ipv4/route.c
> index 3c89ca325947..4b1ec9710a32 100644
> --- a/net/ipv4/route.c
> +++ b/net/ipv4/route.c
> @@ -3077,9 +3077,11 @@ static struct ctl_table ipv4_route_table[] = {
>   { }
>  };
>  
> +static const char ipv4_route_flush_procname[] = "flush";
> +
>  static struct ctl_table ipv4_route_flush_table[] = {
>   {
> - .procname = "flush",
> + .procname = ipv4_route_flush_procname,
>   .maxlen = sizeof(int),
>   .mode = 0200,
>   .proc_handler = ipv4_sysctl_rtcache_flush,
> @@ -3097,9 +3099,11 @@ static __net_init int sysctl_route_net_init(struct net *net)
>   if (!tbl)
>   goto err_dup;
>  
> - /* Don't export sysctls to unprivileged users */
> - if (net->user_ns != &init_user_ns)
> - tbl[0].procname = NULL;
> + /* Don't export non-whitelisted sysctls to unprivileged users */
> + if (net->user_ns != &init_user_ns) {
> + if (tbl[0].procname != ipv4_route_flush_procname)
> + tbl[0].procname = NULL;
> + }
>   }
>   tbl[0].extra1 = net;
>  
>


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

NAK: [PATCH][SRU][Disco] ipv4: enable route flushing in network namespaces

Tyler Hicks-2
On 2019-09-25 10:47:29, Stefan Bader wrote:

> On 06.09.19 15:03, Christian Brauner wrote:
> > BugLink: https://bugs.launchpad.net/bugs/1836912
> >
> > Tools such as vpnc try to flush routes when run inside network
> > namespaces by writing 1 into /proc/sys/net/ipv4/route/flush. This
> > currently does not work because flush is not enabled in non-initial
> > network namespaces.
> > Since routes are per network namespace it is safe to enable
> > /proc/sys/net/ipv4/route/flush in there.
> >
> > Link: https://github.com/lxc/lxd/issues/4257
> > Signed-off-by: Christian Brauner <[hidden email]>
> > Signed-off-by: David S. Miller <[hidden email]>
>
> From (cherry picked/backported)?

Christian sent a second version of this patch that contained the cherry
picked line:

 https://lists.ubuntu.com/archives/kernel-team/2019-September/103672.html

I've already given my ack to that patch so lets just nack this one.

> Signed-off-by: Christian Brauner <[hidden email]>

I'll expand on this part of Stefan's request since it might not be
obvious.

Christian, we always inject our Signed-off-by line when submitting a
patch for inclusion in Ubuntu kernels. This is true even for patches
where you are the upstream author.

The easiest way to get this right is to use the following command:

 $ git cherry-pick -xse <commit>

It adds a "(cherry picked from commit <commit>)" line and also adds your
S-O-B.

One notable exception to this rule is when you have to make adjustments
to the patch in order to get it to apply. In that case, you must
manually change the words "cherry picked" to "backported" resulting in
"(backported from commit <commit>)".

Tyler

>
> > ---
> >  net/ipv4/route.c | 12 ++++++++----
> >  1 file changed, 8 insertions(+), 4 deletions(-)
> >
> > diff --git a/net/ipv4/route.c b/net/ipv4/route.c
> > index 3c89ca325947..4b1ec9710a32 100644
> > --- a/net/ipv4/route.c
> > +++ b/net/ipv4/route.c
> > @@ -3077,9 +3077,11 @@ static struct ctl_table ipv4_route_table[] = {
> >   { }
> >  };
> >  
> > +static const char ipv4_route_flush_procname[] = "flush";
> > +
> >  static struct ctl_table ipv4_route_flush_table[] = {
> >   {
> > - .procname = "flush",
> > + .procname = ipv4_route_flush_procname,
> >   .maxlen = sizeof(int),
> >   .mode = 0200,
> >   .proc_handler = ipv4_sysctl_rtcache_flush,
> > @@ -3097,9 +3099,11 @@ static __net_init int sysctl_route_net_init(struct net *net)
> >   if (!tbl)
> >   goto err_dup;
> >  
> > - /* Don't export sysctls to unprivileged users */
> > - if (net->user_ns != &init_user_ns)
> > - tbl[0].procname = NULL;
> > + /* Don't export non-whitelisted sysctls to unprivileged users */
> > + if (net->user_ns != &init_user_ns) {
> > + if (tbl[0].procname != ipv4_route_flush_procname)
> > + tbl[0].procname = NULL;
> > + }
> >   }
> >   tbl[0].extra1 = net;
> >  
> >
>
>




> --
> kernel-team mailing list
> [hidden email]
> https://lists.ubuntu.com/mailman/listinfo/kernel-team


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team