ipv4: enable route flushing in network namespaces

Tools such as vpnc try to flush routes when run inside network
namespaces by writing 1 into /proc/sys/net/ipv4/route/flush. This
currently does not work because flush is not enabled in non-initial
network namespaces.
Since routes are per network namespace it is safe to enable
/proc/sys/net/ipv4/route/flush in there.

Link: https://github.com/lxc/lxd/issues/4257
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 8 insertions, 4 deletions

diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index a3e466b6a60c..bbd55c7f6b2e 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -3326,9 +3326,11 @@ static struct ctl_table ipv4_route_table[] = {
         { }
 };
 
+static const char ipv4_route_flush_procname[] = "flush";
+
 static struct ctl_table ipv4_route_flush_table[] = {
         {
-                .procname       = "flush",
+                .procname       = ipv4_route_flush_procname,
                 .maxlen         = sizeof(int),
                 .mode           = 0200,
                 .proc_handler   = ipv4_sysctl_rtcache_flush,
@@ -3346,9 +3348,11 @@ static __net_init int sysctl_route_net_init(struct net *net)
                 if (!tbl)
                         goto err_dup;
 
-                /* Don't export sysctls to unprivileged users */
-                if (net->user_ns != &init_user_ns)
-                        tbl[0].procname = NULL;
+                /* Don't export non-whitelisted sysctls to unprivileged users */
+                if (net->user_ns != &init_user_ns) {
+                        if (tbl[0].procname != ipv4_route_flush_procname)
+                                tbl[0].procname = NULL;
+                }
         }
         tbl[0].extra1 = net;