From 8df6fa99bf2960014c9d53a5ec9b12270ba2ab6a Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Mon, 8 Oct 2018 20:55:55 +0200 Subject: [PATCH 1/3] macro: add NETLINK_DUMP_STRICT_CHK This adds support for the new socket option, NETLINK_DUMP_STRICT_CHK, that userspace can use via setsockopt to request strict checking of headers and attributes on dump requests. Signed-off-by: Christian Brauner --- src/lxc/macro.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/lxc/macro.h b/src/lxc/macro.h index 6b6b5f794..844cc2c3c 100644 --- a/src/lxc/macro.h +++ b/src/lxc/macro.h @@ -239,6 +239,10 @@ extern int __build_bug_on_failed; #define prctl_arg(x) ((unsigned long)x) /* networking */ +#ifndef NETLINK_DUMP_STRICT_CHK +#define NETLINK_DUMP_STRICT_CHK 12 +#endif + #ifndef IFLA_LINKMODE #define IFLA_LINKMODE 17 #endif From d38f5b17b716667bb5edb0b306f4caca7c1029b5 Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Mon, 8 Oct 2018 21:10:29 +0200 Subject: [PATCH 2/3] macro: add SOL_NETLINK This allows to set netlink socket properties. Signed-off-by: Christian Brauner --- src/lxc/macro.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/lxc/macro.h b/src/lxc/macro.h index 844cc2c3c..4ce613c52 100644 --- a/src/lxc/macro.h +++ b/src/lxc/macro.h @@ -243,6 +243,10 @@ extern int __build_bug_on_failed; #define NETLINK_DUMP_STRICT_CHK 12 #endif +#ifndef SOL_NETLINK +#define SOL_NETLINK 270 +#endif + #ifndef IFLA_LINKMODE #define IFLA_LINKMODE 17 #endif From c6b647205d5cd56f24f6e4189d607dd0e80f3960 Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Mon, 8 Oct 2018 21:08:10 +0200 Subject: [PATCH 3/3] netns_ifaddrs: check for NETLINK_DUMP_STRICT_CHK Make use of the new socket option, NETLINK_DUMP_STRICT_CHK, that userspace can use via setsockopt to request strict checking of headers and attributes on dump requests. To get dump features such as kernel side filtering based on data in the header or attributes appended to the dump request, userspace must call setsockopt() for NETLINK_DUMP_STRICT_CHK and a non-zero value. This is necessary to make use of the IFA_TARGET_NETNSID property. Signed-off-by: Christian Brauner --- src/include/netns_ifaddrs.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/include/netns_ifaddrs.c b/src/include/netns_ifaddrs.c index cc672a7fd..fc0ffc167 100644 --- a/src/include/netns_ifaddrs.c +++ b/src/include/netns_ifaddrs.c @@ -477,6 +477,14 @@ static int __rtnl_enumerate(int link_af, int addr_af, __s32 netns_id, if (fd < 0) return -1; + r = setsockopt(fd, SOL_NETLINK, NETLINK_DUMP_STRICT_CHK, &(int){1}, + sizeof(int)); + if (r < 0 && netns_id >= 0) { + close(fd); + *netnsid_aware = false; + return -1; + } + r = __ifaddrs_netlink_recv(fd, 1, RTM_GETLINK, link_af, netns_id, &getlink_netnsid_aware, cb, ctx); if (!r)