lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 18 Aug 2020 17:51:23 -0700 From: Mahesh Bandewar <maheshb@...gle.com> To: Netdev <netdev@...r.kernel.org> Cc: David Miller <davem@...emloft.net>, Jakub Kicinski <kuba@...nel.org>, Eric Dumazet <edumazet@...gle.com>, Mahesh Bandewar <mahesh@...dewar.net>, Mahesh Bandewar <maheshb@...gle.com>, Maciej Zenczykowski <maze@...gle.com>, Jian Yang <jianyang@...gle.com> Subject: [PATCH next] net: add option to not create fall-back tunnels in root-ns as well The sysctl that was added earlier by commit 79134e6ce2c ("net: do not create fallback tunnels for non-default namespaces") to create fall-back only in root-ns. This patch enhances that behavior to provide option not to create fallback tunnels in root-ns as well. Since modules that create fallback tunnels could be built-in and setting the sysctl value after booting is pointless, so added a config option which defaults to zero (to preserve backward compatibility) but also takes values "1" and "2" which don't create fallback tunnels in non-root namespaces only and no-where respectively. Signed-off-by: Mahesh Bandewar <maheshb@...gle.com> Cc: Eric Dumazet <edumazet@...gle.com> Cc: Maciej Zenczykowski <maze@...gle.com> Cc: Jian Yang <jianyang@...gle.com> --- Documentation/admin-guide/sysctl/net.rst | 21 ++++++++++++++------- include/linux/netdevice.h | 7 ++++++- net/Kconfig | 11 +++++++++++ net/core/sysctl_net_core.c | 4 ++-- 4 files changed, 33 insertions(+), 10 deletions(-) diff --git a/Documentation/admin-guide/sysctl/net.rst b/Documentation/admin-guide/sysctl/net.rst index 42cd04bca548..aa1f5727d291 100644 --- a/Documentation/admin-guide/sysctl/net.rst +++ b/Documentation/admin-guide/sysctl/net.rst @@ -321,13 +321,20 @@ fb_tunnels_only_for_init_net ---------------------------- Controls if fallback tunnels (like tunl0, gre0, gretap0, erspan0, -sit0, ip6tnl0, ip6gre0) are automatically created when a new -network namespace is created, if corresponding tunnel is present -in initial network namespace. -If set to 1, these devices are not automatically created, and -user space is responsible for creating them if needed. - -Default : 0 (for compatibility reasons) +sit0, ip6tnl0, ip6gre0) are automatically created. There are 3 +possibiltieis. +(a) value = 0; respective fallback tunnels are created when module is +loaded in every net namespaces (backward compatible behavior). +(b) value = 1; respective fallback tunnels are created only in root +net namespace and every other net namespace will not have them. +(c) value = 2; fallback tunnels are not created when a module is +loaded in any of the net namespace. + +Not creating fallback tunnels gives control to userspace to create +whatever is needed and avoid creating devices which are not used. + +Default: The value of this sysctl is set via config item SYSCTL_FB_TUNNEL +and is set to "0" by default. (for compatibility reasons) devconf_inherit_init_net ------------------------ diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h index b0e303f6603f..327a302c8c26 100644 --- a/include/linux/netdevice.h +++ b/include/linux/netdevice.h @@ -640,9 +640,14 @@ struct netdev_queue { extern int sysctl_fb_tunnels_only_for_init_net; extern int sysctl_devconf_inherit_init_net; +/* + * sysctl_fb_tunnels_only_for_init_net == 0 : For all netns + * == 1 : For initns only + * == 2 : For none. + */ static inline bool net_has_fallback_tunnels(const struct net *net) { - return net == &init_net || + return (net == &init_net && sysctl_fb_tunnels_only_for_init_net == 1) || !IS_ENABLED(CONFIG_SYSCTL) || !sysctl_fb_tunnels_only_for_init_net; } diff --git a/net/Kconfig b/net/Kconfig index 3831206977a1..a57671e8a324 100644 --- a/net/Kconfig +++ b/net/Kconfig @@ -460,6 +460,17 @@ config ETHTOOL_NETLINK netlink. It provides better extensibility and some new features, e.g. notification messages. +config SYSCTL_FB_TUNNEL + int "Value for sysctl_fb_tunnels_only_for_init_net" + range 0 2 + default 0 + help + A sysctl value for sysctl_fb_tunnels_only_for_init_net. The value "0" + is for backward compatibility and creates fall-back tunnels in root-ns + as well as any newly created net namespaces. The value "1" restricts + this these fallback tunnels to only root-ns while value "2" does not + create these tunnels anywhere. + endif # if NET # Used by archs to tell that they support BPF JIT compiler plus which flavour. diff --git a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c index 6ada114bbcca..06b98cb2e21d 100644 --- a/net/core/sysctl_net_core.c +++ b/net/core/sysctl_net_core.c @@ -32,7 +32,7 @@ static long long_max __maybe_unused = LONG_MAX; static int net_msg_warn; /* Unused, but still a sysctl */ -int sysctl_fb_tunnels_only_for_init_net __read_mostly = 0; +int sysctl_fb_tunnels_only_for_init_net __read_mostly = CONFIG_SYSCTL_FB_TUNNEL; EXPORT_SYMBOL(sysctl_fb_tunnels_only_for_init_net); /* 0 - Keep current behavior: @@ -546,7 +546,7 @@ static struct ctl_table net_core_table[] = { .mode = 0644, .proc_handler = proc_dointvec_minmax, .extra1 = SYSCTL_ZERO, - .extra2 = SYSCTL_ONE, + .extra2 = &two, }, { .procname = "devconf_inherit_init_net", -- 2.28.0.220.ged08abb693-goog
Powered by blists - more mailing lists