Commit 83094f8c authored Oct 12, 2021 by Antoine Tenart Committed by Greg Kroah-Hartman Oct 27, 2021

netfilter: ipvs: make global sysctl readonly in non-init netns



[ Upstream commit 174c376278949c44aad89c514a6b5db6cee8db59 ]

Because the data pointer of net/ipv4/vs/debug_level is not updated per
netns, it must be marked as read-only in non-init netns.

Fixes: c6d2d445 ("IPVS: netns, final patch enabling network name space.")
Signed-off-by: Antoine Tenart <atenart@kernel.org>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

parent ce70ee94

net/netfilter/ipvs/ip_vs_ctl.c

+5 −0

Original line number	Diff line number	Diff line
		@@ -4047,6 +4047,11 @@ static int __net_init ip_vs_control_net_init_sysctl(struct netns_ipvs *ipvs)
		tbl[idx++].data = &ipvs->sysctl_conn_reuse_mode;
		tbl[idx++].data = &ipvs->sysctl_schedule_icmp;
		tbl[idx++].data = &ipvs->sysctl_ignore_tunneled;
		#ifdef CONFIG_IP_VS_DEBUG
		/* Global sysctls must be ro in non-init netns */
		if (!net_eq(net, &init_net))
		tbl[idx++].mode = 0444;
		#endif

		ipvs->sysctl_hdr = register_net_sysctl(net, "net/ipv4/vs", tbl);
		if (ipvs->sysctl_hdr == NULL) {