| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1545885159-7410-1-git-send-email-xiangxia.m.yue@gmail.com>
Date: Wed, 26 Dec 2018 20:32:39 -0800
From: xiangxia.m.yue@...il.com
To: davem@...emloft.net, xiyou.wangcong@...il.com
Cc: netdev@...r.kernel.org, Tonghao Zhang <xiangxia.m.yue@...il.com>
Subject: [PATCH net-next v2] net: ipv4: allocate ipv4_devconf memory for init_net
From: Tonghao Zhang <xiangxia.m.yue@...il.com>
The devconf setting on the init_net will affect other
namespace when them created. For example:
$ cat /proc/sys/net/ipv4/conf/all/rp_filter
0
$ echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
$ cat /proc/sys/net/ipv4/conf/all/rp_filter
2
$ ip netns add ns100
$ ip netns exec ns100 bash
$ cat /proc/sys/net/ipv4/conf/all/rp_filter
2
The value of rp_filter in the ns100, should be 0 as
default, but it is 2 same as _init_net_.
In some case, there are many containers, on host, where running the
different type containers and applications. We don't know what network configuration
user will set. The new containers don't inherit our host configuration.
* host _init_net_ may be used as a complex network. (the rp_filter, arp_ignore
and arp_announce may be used.) but containers use them as default. Host network
configuration should not affect containers.
* containers and host network configuration are complete isolation.
To fix it and init devconf to default value, we allocate
memory for every namespace(include init_net), this memory
will be used to store themself setting data and we also
allocate memory to register sys_ctl tables.
IPv6 does that in the same way.
Signed-off-by: Tonghao Zhang <xiangxia.m.yue@...il.com>
---
v1->v2: add more commit info.
---
net/ipv4/devinet.c | 40 ++++++++++++++++------------------------
1 file changed, 16 insertions(+), 24 deletions(-)
diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
index 5b9b6d4..2edf0f8 100644
--- a/net/ipv4/devinet.c
+++ b/net/ipv4/devinet.c
@@ -2555,33 +2555,28 @@ static __net_init int devinet_init_net(struct net *net)
int err;
struct ipv4_devconf *all, *dflt;
#ifdef CONFIG_SYSCTL
- struct ctl_table *tbl = ctl_forward_entry;
+ struct ctl_table *tbl;
struct ctl_table_header *forw_hdr;
#endif
err = -ENOMEM;
- all = &ipv4_devconf;
- dflt = &ipv4_devconf_dflt;
-
- if (!net_eq(net, &init_net)) {
- all = kmemdup(all, sizeof(ipv4_devconf), GFP_KERNEL);
- if (!all)
- goto err_alloc_all;
+ all = kmemdup(&ipv4_devconf, sizeof(ipv4_devconf), GFP_KERNEL);
+ if (!all)
+ goto err_alloc_all;
- dflt = kmemdup(dflt, sizeof(ipv4_devconf_dflt), GFP_KERNEL);
- if (!dflt)
- goto err_alloc_dflt;
+ dflt = kmemdup(&ipv4_devconf_dflt, sizeof(ipv4_devconf_dflt), GFP_KERNEL);
+ if (!dflt)
+ goto err_alloc_dflt;
#ifdef CONFIG_SYSCTL
- tbl = kmemdup(tbl, sizeof(ctl_forward_entry), GFP_KERNEL);
- if (!tbl)
- goto err_alloc_ctl;
+ tbl = kmemdup(ctl_forward_entry, sizeof(ctl_forward_entry), GFP_KERNEL);
+ if (!tbl)
+ goto err_alloc_ctl;
- tbl[0].data = &all->data[IPV4_DEVCONF_FORWARDING - 1];
- tbl[0].extra1 = all;
- tbl[0].extra2 = net;
+ tbl[0].data = &all->data[IPV4_DEVCONF_FORWARDING - 1];
+ tbl[0].extra1 = all;
+ tbl[0].extra2 = net;
#endif
- }
#ifdef CONFIG_SYSCTL
err = __devinet_sysctl_register(net, "all", NETCONFA_IFINDEX_ALL, all);
@@ -2610,15 +2605,12 @@ static __net_init int devinet_init_net(struct net *net)
err_reg_dflt:
__devinet_sysctl_unregister(net, all, NETCONFA_IFINDEX_ALL);
err_reg_all:
- if (tbl != ctl_forward_entry)
- kfree(tbl);
+ kfree(tbl);
err_alloc_ctl:
#endif
- if (dflt != &ipv4_devconf_dflt)
- kfree(dflt);
+ kfree(dflt);
err_alloc_dflt:
- if (all != &ipv4_devconf)
- kfree(all);
+ kfree(all);
err_alloc_all:
return err;
}
--
1.8.3.1
Powered by blists - more mailing lists