net: provide a sysctl raw_l3mdev_accept for raw socket lookup with VRFs (6897445f) · Commits · e / devices / android_kernel_fairphone_FP5

Documentation/networking/ip-sysctl.txt

+12 −0

Original line number	Diff line number	Diff line
		@@ -370,6 +370,7 @@ tcp_l3mdev_accept - BOOLEAN
		derived from the listen socket to be bound to the L3 domain in
		which the packets originated. Only valid when the kernel was
		compiled with CONFIG_NET_L3_MASTER_DEV.
		Default: 0 (disabled)

		tcp_low_latency - BOOLEAN
		This is a legacy option, it has no effect anymore.
		@@ -773,6 +774,7 @@ udp_l3mdev_accept - BOOLEAN
		being received regardless of the L3 domain in which they
		originated. Only valid when the kernel was compiled with
		CONFIG_NET_L3_MASTER_DEV.
		Default: 0 (disabled)

		udp_mem - vector of 3 INTEGERs: min, pressure, max
		Number of pages allowed for queueing by all UDP sockets.
		@@ -799,6 +801,16 @@ udp_wmem_min - INTEGER
		total pages of UDP sockets exceed udp_mem pressure. The unit is byte.
		Default: 4K

		RAW variables:

		raw_l3mdev_accept - BOOLEAN
		Enabling this option allows a "global" bound socket to work
		across L3 master domains (e.g., VRFs) with packets capable of
		being received regardless of the L3 domain in which they
		originated. Only valid when the kernel was compiled with
		CONFIG_NET_L3_MASTER_DEV.
		Default: 1 (enabled)

		CIPSOv4 Variables:

		cipso_cache_enable - BOOLEAN

+13 −0

Original line number	Diff line number	Diff line
		@@ -111,9 +111,22 @@ the same port if they bind to an l3mdev.
		TCP & UDP services running in the default VRF context (ie., not bound
		to any VRF device) can work across all VRF domains by enabling the
		tcp_l3mdev_accept and udp_l3mdev_accept sysctl options:

		sysctl -w net.ipv4.tcp_l3mdev_accept=1
		sysctl -w net.ipv4.udp_l3mdev_accept=1

		These options are disabled by default so that a socket in a VRF is only
		selected for packets in that VRF. There is a similar option for RAW
		sockets, which is enabled by default for reasons of backwards compatibility.
		This is so as to specify the output device with cmsg and IP_PKTINFO, but
		using a socket not bound to the corresponding VRF. This allows e.g. older ping
		implementations to be run with specifying the device but without executing it
		in the VRF. This option can be disabled so that packets received in a VRF
		context are only handled by a raw socket bound to the VRF, and packets in the
		default VRF are only handled by a socket not bound to any VRF:

		sysctl -w net.ipv4.raw_l3mdev_accept=0

		netfilter rules on the VRF device can be used to limit access to services
		running in the default VRF context as well.

+3 −0

Original line number	Diff line number	Diff line
		@@ -103,6 +103,9 @@ struct netns_ipv4 {
		/* Shall we try to damage output packets if routing dev changes? */
		int sysctl_ip_dynaddr;
		int sysctl_ip_early_demux;
		#ifdef CONFIG_NET_L3_MASTER_DEV
		int sysctl_raw_l3mdev_accept;
		#endif
		int sysctl_tcp_early_demux;
		int sysctl_udp_early_demux;

+1 −0

Original line number	Diff line number	Diff line
		@@ -61,6 +61,7 @@ void raw_seq_stop(struct seq_file seq, void v);

		int raw_hash_sk(struct sock *sk);
		void raw_unhash_sk(struct sock *sk);
		void raw_init(void);

		struct raw_sock {
		/* inet_sock has to be the first member */

+2 −0

Original line number	Diff line number	Diff line
		@@ -1964,6 +1964,8 @@ static int __init inet_init(void)
		/* Add UDP-Lite (RFC 3828) */
		udplite4_register();

		raw_init();

		ping_init();

		/*