Tools such as vpnc try to flush routes when run inside network
namespaces by writing 1 into /proc/sys/net/ipv4/route/flush. This
currently does not work because flush is not enabled in non-initial
network namespaces.
Since routes are per network namespace it is safe to enable
/proc/sys/net/ipv4/route/flush in there.
Link: https://github.com/lxc/lxd/issues/4257
Signed-off-by: Christian Brauner <[email protected]>
---
net/ipv4/route.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 6cb7cff22db9..41726e26cd5f 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -3197,9 +3197,11 @@ static struct ctl_table ipv4_route_table[] = {
{ }
};
+static const char ipv4_route_flush_procname[] = "flush";
+
static struct ctl_table ipv4_route_flush_table[] = {
{
- .procname = "flush",
+ .procname = ipv4_route_flush_procname,
.maxlen = sizeof(int),
.mode = 0200,
.proc_handler = ipv4_sysctl_rtcache_flush,
@@ -3217,9 +3219,11 @@ static __net_init int sysctl_route_net_init(struct net *net)
if (!tbl)
goto err_dup;
- /* Don't export sysctls to unprivileged users */
- if (net->user_ns != &init_user_ns)
- tbl[0].procname = NULL;
+ /* Don't export non-whitelisted sysctls to unprivileged users */
+ if (net->user_ns != &init_user_ns) {
+ if (tbl[0].procname != ipv4_route_flush_procname)
+ tbl[0].procname = NULL;
+ }
}
tbl[0].extra1 = net;
--
2.22.0
On 6/24/19 7:29 AM, Christian Brauner wrote:
> Tools such as vpnc try to flush routes when run inside network
> namespaces by writing 1 into /proc/sys/net/ipv4/route/flush. This
> currently does not work because flush is not enabled in non-initial
> network namespaces.
> Since routes are per network namespace it is safe to enable
> /proc/sys/net/ipv4/route/flush in there.
>
> Link: https://github.com/lxc/lxd/issues/4257
> Signed-off-by: Christian Brauner <[email protected]>
> ---
> net/ipv4/route.c | 12 ++++++++----
> 1 file changed, 8 insertions(+), 4 deletions(-)
>
why not teach vpnc to use rtnetlink and then add a flush option to
RTM_DELROUTE?
On June 24, 2019 9:49:33 PM GMT+02:00, David Ahern <[email protected]> wrote:
>On 6/24/19 7:29 AM, Christian Brauner wrote:
>> Tools such as vpnc try to flush routes when run inside network
>> namespaces by writing 1 into /proc/sys/net/ipv4/route/flush. This
>> currently does not work because flush is not enabled in non-initial
>> network namespaces.
>> Since routes are per network namespace it is safe to enable
>> /proc/sys/net/ipv4/route/flush in there.
>>
>> Link: https://github.com/lxc/lxd/issues/4257
>> Signed-off-by: Christian Brauner <[email protected]>
>> ---
>> net/ipv4/route.c | 12 ++++++++----
>> 1 file changed, 8 insertions(+), 4 deletions(-)
>>
>
>why not teach vpnc to use rtnetlink and then add a flush option to
>RTM_DELROUTE?
I think that if you can do it unprivileged through netlink
you should also allow it through sysctls.
Even the original commit references it
to make it possible to enable the sysctls
1-by-1 as needed.
From: Christian Brauner <[email protected]>
Date: Mon, 24 Jun 2019 15:29:23 +0200
> Tools such as vpnc try to flush routes when run inside network
> namespaces by writing 1 into /proc/sys/net/ipv4/route/flush. This
> currently does not work because flush is not enabled in non-initial
> network namespaces.
> Since routes are per network namespace it is safe to enable
> /proc/sys/net/ipv4/route/flush in there.
>
> Link: https://github.com/lxc/lxd/issues/4257
> Signed-off-by: Christian Brauner <[email protected]>
Applied.