2007-12-16 22:29:36 +01:00
|
|
|
/*
|
|
|
|
|
* ipv4 in net namespaces
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#ifndef __NETNS_IPV4_H__
|
|
|
|
|
#define __NETNS_IPV4_H__
|
2008-01-10 12:27:51 +01:00
|
|
|
|
2008-01-22 15:02:14 +01:00
|
|
|
#include <net/inet_frag.h>
|
|
|
|
|
|
2007-12-16 22:31:47 +01:00
|
|
|
struct ctl_table_header;
|
|
|
|
|
struct ipv4_devconf;
|
2008-01-10 12:27:51 +01:00
|
|
|
struct fib_rules_ops;
|
2008-01-10 12:28:24 +01:00
|
|
|
struct hlist_head;
|
2008-01-10 12:28:55 +01:00
|
|
|
struct sock;
|
2007-12-16 22:31:47 +01:00
|
|
|
|
2007-12-16 22:29:36 +01:00
|
|
|
struct netns_ipv4 {
|
2008-01-06 08:08:49 +01:00
|
|
|
#ifdef CONFIG_SYSCTL
|
2007-12-16 22:31:47 +01:00
|
|
|
struct ctl_table_header *forw_hdr;
|
2008-01-22 15:08:36 +01:00
|
|
|
struct ctl_table_header *frags_hdr;
|
2008-03-26 09:56:24 +01:00
|
|
|
struct ctl_table_header *ipv4_hdr;
|
2008-07-06 04:02:33 +02:00
|
|
|
struct ctl_table_header *route_hdr;
|
2008-01-06 08:08:49 +01:00
|
|
|
#endif
|
2007-12-16 22:31:47 +01:00
|
|
|
struct ipv4_devconf *devconf_all;
|
|
|
|
|
struct ipv4_devconf *devconf_dflt;
|
2008-01-10 12:27:51 +01:00
|
|
|
#ifdef CONFIG_IP_MULTIPLE_TABLES
|
|
|
|
|
struct fib_rules_ops *rules_ops;
|
|
|
|
|
#endif
|
2008-01-10 12:28:24 +01:00
|
|
|
struct hlist_head *fib_table_hash;
|
2008-01-10 12:28:55 +01:00
|
|
|
struct sock *fibnl;
|
2008-01-22 15:02:14 +01:00
|
|
|
|
2008-02-29 20:19:58 +01:00
|
|
|
struct sock **icmp_sk;
|
2008-04-03 23:31:33 +02:00
|
|
|
struct sock *tcp_sock;
|
2012-06-08 03:20:41 +02:00
|
|
|
struct inet_peer_base *peers;
|
2008-01-22 15:02:14 +01:00
|
|
|
struct netns_frags frags;
|
2008-01-31 13:03:23 +01:00
|
|
|
#ifdef CONFIG_NETFILTER
|
|
|
|
|
struct xt_table *iptable_filter;
|
|
|
|
|
struct xt_table *iptable_mangle;
|
|
|
|
|
struct xt_table *iptable_raw;
|
2008-01-31 13:05:09 +01:00
|
|
|
struct xt_table *arptable_filter;
|
2010-01-18 08:08:37 +01:00
|
|
|
#ifdef CONFIG_SECURITY
|
2008-06-10 00:57:24 +02:00
|
|
|
struct xt_table *iptable_security;
|
2010-01-18 08:08:37 +01:00
|
|
|
#endif
|
2008-10-08 11:35:10 +02:00
|
|
|
struct xt_table *nat_table;
|
2008-10-08 11:35:11 +02:00
|
|
|
struct hlist_head *nat_bysource;
|
2010-02-08 20:18:07 +01:00
|
|
|
unsigned int nat_htable_size;
|
2008-01-31 13:03:23 +01:00
|
|
|
#endif
|
2008-03-26 09:55:37 +01:00
|
|
|
|
|
|
|
|
int sysctl_icmp_echo_ignore_all;
|
|
|
|
|
int sysctl_icmp_echo_ignore_broadcasts;
|
|
|
|
|
int sysctl_icmp_ignore_bogus_error_responses;
|
|
|
|
|
int sysctl_icmp_ratelimit;
|
|
|
|
|
int sysctl_icmp_ratemask;
|
|
|
|
|
int sysctl_icmp_errors_use_inbound_ifaddr;
|
2008-10-27 20:28:25 +01:00
|
|
|
int sysctl_rt_cache_rebuild_count;
|
|
|
|
|
int current_rt_cache_rebuild_count;
|
2008-07-06 04:02:59 +02:00
|
|
|
|
net: ipv4: add IPPROTO_ICMP socket kind
This patch adds IPPROTO_ICMP socket kind. It makes it possible to send
ICMP_ECHO messages and receive the corresponding ICMP_ECHOREPLY messages
without any special privileges. In other words, the patch makes it
possible to implement setuid-less and CAP_NET_RAW-less /bin/ping. In
order not to increase the kernel's attack surface, the new functionality
is disabled by default, but is enabled at bootup by supporting Linux
distributions, optionally with restriction to a group or a group range
(see below).
Similar functionality is implemented in Mac OS X:
http://www.manpagez.com/man/4/icmp/
A new ping socket is created with
socket(PF_INET, SOCK_DGRAM, PROT_ICMP)
Message identifiers (octets 4-5 of ICMP header) are interpreted as local
ports. Addresses are stored in struct sockaddr_in. No port numbers are
reserved for privileged processes, port 0 is reserved for API ("let the
kernel pick a free number"). There is no notion of remote ports, remote
port numbers provided by the user (e.g. in connect()) are ignored.
Data sent and received include ICMP headers. This is deliberate to:
1) Avoid the need to transport headers values like sequence numbers by
other means.
2) Make it easier to port existing programs using raw sockets.
ICMP headers given to send() are checked and sanitized. The type must be
ICMP_ECHO and the code must be zero (future extensions might relax this,
see below). The id is set to the number (local port) of the socket, the
checksum is always recomputed.
ICMP reply packets received from the network are demultiplexed according
to their id's, and are returned by recv() without any modifications.
IP header information and ICMP errors of those packets may be obtained
via ancillary data (IP_RECVTTL, IP_RETOPTS, and IP_RECVERR). ICMP source
quenches and redirects are reported as fake errors via the error queue
(IP_RECVERR); the next hop address for redirects is saved to ee_info (in
network order).
socket(2) is restricted to the group range specified in
"/proc/sys/net/ipv4/ping_group_range". It is "1 0" by default, meaning
that nobody (not even root) may create ping sockets. Setting it to "100
100" would grant permissions to the single group (to either make
/sbin/ping g+s and owned by this group or to grant permissions to the
"netadmins" group), "0 4294967295" would enable it for the world, "100
4294967295" would enable it for the users, but not daemons.
The existing code might be (in the unlikely case anyone needs it)
extended rather easily to handle other similar pairs of ICMP messages
(Timestamp/Reply, Information Request/Reply, Address Mask Request/Reply
etc.).
Userspace ping util & patch for it:
http://openwall.info/wiki/people/segoon/ping
For Openwall GNU/*/Linux it was the last step on the road to the
setuid-less distro. A revision of this patch (for RHEL5/OpenVZ kernels)
is in use in Owl-current, such as in the 2011/03/12 LiveCD ISOs:
http://mirrors.kernel.org/openwall/Owl/current/iso/
Initially this functionality was written by Pavel Kankovsky for
Linux 2.4.32, but unfortunately it was never made public.
All ping options (-b, -p, -Q, -R, -s, -t, -T, -M, -I), are tested with
the patch.
PATCH v3:
- switched to flowi4.
- minor changes to be consistent with raw sockets code.
PATCH v2:
- changed ping_debug() to pr_debug().
- removed CONFIG_IP_PING.
- removed ping_seq_fops.owner field (unused for procfs).
- switched to proc_net_fops_create().
- switched to %pK in seq_printf().
PATCH v1:
- fixed checksumming bug.
- CAP_NET_RAW may not create icmp sockets anymore.
RFC v2:
- minor cleanups.
- introduced sysctl'able group range to restrict socket(2).
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-05-13 12:01:00 +02:00
|
|
|
unsigned int sysctl_ping_group_range[2];
|
2011-12-11 22:47:05 +01:00
|
|
|
long sysctl_tcp_mem[3];
|
net: ipv4: add IPPROTO_ICMP socket kind
This patch adds IPPROTO_ICMP socket kind. It makes it possible to send
ICMP_ECHO messages and receive the corresponding ICMP_ECHOREPLY messages
without any special privileges. In other words, the patch makes it
possible to implement setuid-less and CAP_NET_RAW-less /bin/ping. In
order not to increase the kernel's attack surface, the new functionality
is disabled by default, but is enabled at bootup by supporting Linux
distributions, optionally with restriction to a group or a group range
(see below).
Similar functionality is implemented in Mac OS X:
http://www.manpagez.com/man/4/icmp/
A new ping socket is created with
socket(PF_INET, SOCK_DGRAM, PROT_ICMP)
Message identifiers (octets 4-5 of ICMP header) are interpreted as local
ports. Addresses are stored in struct sockaddr_in. No port numbers are
reserved for privileged processes, port 0 is reserved for API ("let the
kernel pick a free number"). There is no notion of remote ports, remote
port numbers provided by the user (e.g. in connect()) are ignored.
Data sent and received include ICMP headers. This is deliberate to:
1) Avoid the need to transport headers values like sequence numbers by
other means.
2) Make it easier to port existing programs using raw sockets.
ICMP headers given to send() are checked and sanitized. The type must be
ICMP_ECHO and the code must be zero (future extensions might relax this,
see below). The id is set to the number (local port) of the socket, the
checksum is always recomputed.
ICMP reply packets received from the network are demultiplexed according
to their id's, and are returned by recv() without any modifications.
IP header information and ICMP errors of those packets may be obtained
via ancillary data (IP_RECVTTL, IP_RETOPTS, and IP_RECVERR). ICMP source
quenches and redirects are reported as fake errors via the error queue
(IP_RECVERR); the next hop address for redirects is saved to ee_info (in
network order).
socket(2) is restricted to the group range specified in
"/proc/sys/net/ipv4/ping_group_range". It is "1 0" by default, meaning
that nobody (not even root) may create ping sockets. Setting it to "100
100" would grant permissions to the single group (to either make
/sbin/ping g+s and owned by this group or to grant permissions to the
"netadmins" group), "0 4294967295" would enable it for the world, "100
4294967295" would enable it for the users, but not daemons.
The existing code might be (in the unlikely case anyone needs it)
extended rather easily to handle other similar pairs of ICMP messages
(Timestamp/Reply, Information Request/Reply, Address Mask Request/Reply
etc.).
Userspace ping util & patch for it:
http://openwall.info/wiki/people/segoon/ping
For Openwall GNU/*/Linux it was the last step on the road to the
setuid-less distro. A revision of this patch (for RHEL5/OpenVZ kernels)
is in use in Owl-current, such as in the 2011/03/12 LiveCD ISOs:
http://mirrors.kernel.org/openwall/Owl/current/iso/
Initially this functionality was written by Pavel Kankovsky for
Linux 2.4.32, but unfortunately it was never made public.
All ping options (-b, -p, -Q, -R, -s, -t, -T, -M, -I), are tested with
the patch.
PATCH v3:
- switched to flowi4.
- minor changes to be consistent with raw sockets code.
PATCH v2:
- changed ping_debug() to pr_debug().
- removed CONFIG_IP_PING.
- removed ping_seq_fops.owner field (unused for procfs).
- switched to proc_net_fops_create().
- switched to %pK in seq_printf().
PATCH v1:
- fixed checksumming bug.
- CAP_NET_RAW may not create icmp sockets anymore.
RFC v2:
- minor cleanups.
- introduced sysctl'able group range to restrict socket(2).
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-05-13 12:01:00 +02:00
|
|
|
|
2008-07-06 04:04:32 +02:00
|
|
|
atomic_t rt_genid;
|
2011-03-25 01:42:21 +01:00
|
|
|
atomic_t dev_addr_genid;
|
2009-01-22 05:56:15 +01:00
|
|
|
|
|
|
|
|
#ifdef CONFIG_IP_MROUTE
|
ipv4: ipmr: support multiple tables
This patch adds support for multiple independant multicast routing instances,
named "tables".
Userspace multicast routing daemons can bind to a specific table instance by
issuing a setsockopt call using a new option MRT_TABLE. The table number is
stored in the raw socket data and affects all following ipmr setsockopt(),
getsockopt() and ioctl() calls. By default, a single table (RT_TABLE_DEFAULT)
is created with a default routing rule pointing to it. Newly created pimreg
devices have the table number appended ("pimregX"), with the exception of
devices created in the default table, which are named just "pimreg" for
compatibility reasons.
Packets are directed to a specific table instance using routing rules,
similar to how regular routing rules work. Currently iif, oif and mark
are supported as keys, source and destination addresses could be supported
additionally.
Example usage:
- bind pimd/xorp/... to a specific table:
uint32_t table = 123;
setsockopt(fd, IPPROTO_IP, MRT_TABLE, &table, sizeof(table));
- create routing rules directing packets to the new table:
# ip mrule add iif eth0 lookup 123
# ip mrule add oif eth0 lookup 123
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-13 07:03:23 +02:00
|
|
|
#ifndef CONFIG_IP_MROUTE_MULTIPLE_TABLES
|
2010-04-13 07:03:22 +02:00
|
|
|
struct mr_table *mrt;
|
ipv4: ipmr: support multiple tables
This patch adds support for multiple independant multicast routing instances,
named "tables".
Userspace multicast routing daemons can bind to a specific table instance by
issuing a setsockopt call using a new option MRT_TABLE. The table number is
stored in the raw socket data and affects all following ipmr setsockopt(),
getsockopt() and ioctl() calls. By default, a single table (RT_TABLE_DEFAULT)
is created with a default routing rule pointing to it. Newly created pimreg
devices have the table number appended ("pimregX"), with the exception of
devices created in the default table, which are named just "pimreg" for
compatibility reasons.
Packets are directed to a specific table instance using routing rules,
similar to how regular routing rules work. Currently iif, oif and mark
are supported as keys, source and destination addresses could be supported
additionally.
Example usage:
- bind pimd/xorp/... to a specific table:
uint32_t table = 123;
setsockopt(fd, IPPROTO_IP, MRT_TABLE, &table, sizeof(table));
- create routing rules directing packets to the new table:
# ip mrule add iif eth0 lookup 123
# ip mrule add oif eth0 lookup 123
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-13 07:03:23 +02:00
|
|
|
#else
|
|
|
|
|
struct list_head mr_tables;
|
|
|
|
|
struct fib_rules_ops *mr_rules_ops;
|
|
|
|
|
#endif
|
2009-01-22 05:56:15 +01:00
|
|
|
#endif
|
2007-12-16 22:29:36 +01:00
|
|
|
};
|
|
|
|
|
#endif
|
