netlink: allow to listen "all" netns

More accurately, listen all netns that have a nsid assigned into the netns where the netlink socket is opened. For this purpose, a netlink socket option is added: NETLINK_LISTEN_ALL_NSID. When this option is set on a netlink socket, this socket will receive netlink notifications from all netns that have a nsid assigned into the netns where the socket has been opened. The nsid is sent to userland via an anscillary data. With this patch, a daemon needs only one socket to listen many netns. This is useful when the number of netns is high. Because 0 is a valid value for a nsid, the field nsid_is_set indicates if the field nsid is valid or not. skb->cb is initialized to 0 on skb allocation, thus we are sure that we will never send a nsid 0 by error to the userland. Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> Acked-by: Thomas Graf <tgraf@suug.ch> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Nicolas Dichtel <nicolas.dichtel@6wind.com> 2015-05-07 05:02:53 -0400
committer: David S. Miller <davem@davemloft.net> 2015-05-09 22:15:31 -0400
commit: 59324cf35aba5336b611074028777838a963d03b (patch)
tree: 67e6903c5a0204281060493d301b62640cb9a066 /net/netlink
parent: cc3a572fe6cf586f478546215bc5d3694357d71e (diff)
1 files changed, 47 insertions, 5 deletions
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index bf7f56d7a9aa..a5fff75accf8 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -83,6 +83,7 @@ struct listeners {
 #define NETLINK_F_RECV_PKTINFO          0x2
 #define NETLINK_F_BROADCAST_SEND_ERROR  0x4
 #define NETLINK_F_RECV_NO_ENOBUFS       0x8
+#define NETLINK_F_LISTEN_ALL_NSID       0x10
 static inline int netlink_is_kernel(struct sock *sk)
 {
@@ -1932,8 +1933,17 @@ static void do_one_broadcast(struct sock *sk,
            !test_bit(p->group - 1, nlk->groups))
                return;
-        if (!net_eq(sock_net(sk), p->net))
+        if (!net_eq(sock_net(sk), p->net)) {
-                return;
+                if (!(nlk->flags & NETLINK_F_LISTEN_ALL_NSID))
+                        return;
+                if (!peernet_has_id(sock_net(sk), p->net))
+                        return;
+                if (!file_ns_capable(sk->sk_socket->file, p->net->user_ns,
+                                     CAP_NET_BROADCAST))
+                        return;
+        }
        if (p->failure) {
                netlink_overrun(sk);
@@ -1959,13 +1969,22 @@ static void do_one_broadcast(struct sock *sk,
                p->failure = 1;
                if (nlk->flags & NETLINK_F_BROADCAST_SEND_ERROR)
                        p->delivery_failure = 1;
-        } else if (p->tx_filter && p->tx_filter(sk, p->skb2, p->tx_data)) {
+                goto out;
+        }
+        if (p->tx_filter && p->tx_filter(sk, p->skb2, p->tx_data)) {
                kfree_skb(p->skb2);
                p->skb2 = NULL;
-        } else if (sk_filter(sk, p->skb2)) {
+                goto out;
+        }
+        if (sk_filter(sk, p->skb2)) {
                kfree_skb(p->skb2);
                p->skb2 = NULL;
-        } else if ((val = netlink_broadcast_deliver(sk, p->skb2)) < 0) {
+                goto out;
+        }
+        NETLINK_CB(p->skb2).nsid = peernet2id(sock_net(sk), p->net);
+        NETLINK_CB(p->skb2).nsid_is_set = true;
+        val = netlink_broadcast_deliver(sk, p->skb2);
+        if (val < 0) {
                netlink_overrun(sk);
                if (nlk->flags & NETLINK_F_BROADCAST_SEND_ERROR)
                        p->delivery_failure = 1;
@@ -1974,6 +1993,7 @@ static void do_one_broadcast(struct sock *sk,
                p->delivered = 1;
                p->skb2 = NULL;
        }
+out:
        sock_put(sk);
 }
@@ -2202,6 +2222,16 @@ static int netlink_setsockopt(struct socket *sock, int level, int optname,
                break;
        }
 #endif /* CONFIG_NETLINK_MMAP */
+        case NETLINK_LISTEN_ALL_NSID:
+                if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_BROADCAST))
+                        return -EPERM;
+                if (val)
+                        nlk->flags |= NETLINK_F_LISTEN_ALL_NSID;
+                else
+                        nlk->flags &= ~NETLINK_F_LISTEN_ALL_NSID;
+                err = 0;
+                break;
        default:
                err = -ENOPROTOOPT;
        }
@@ -2268,6 +2298,16 @@ static void netlink_cmsg_recv_pktinfo(struct msghdr *msg, struct sk_buff *skb)
        put_cmsg(msg, SOL_NETLINK, NETLINK_PKTINFO, sizeof(info), &info);
 }
+static void netlink_cmsg_listen_all_nsid(struct sock *sk, struct msghdr *msg,
+                                         struct sk_buff *skb)
+{
+        if (!NETLINK_CB(skb).nsid_is_set)
+                return;
+        put_cmsg(msg, SOL_NETLINK, NETLINK_LISTEN_ALL_NSID, sizeof(int),
+                 &NETLINK_CB(skb).nsid);
+}
 static int netlink_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
 {
        struct sock *sk = sock->sk;
@@ -2421,6 +2461,8 @@ static int netlink_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
        if (nlk->flags & NETLINK_F_RECV_PKTINFO)
                netlink_cmsg_recv_pktinfo(msg, skb);
+        if (nlk->flags & NETLINK_F_LISTEN_ALL_NSID)
+                netlink_cmsg_listen_all_nsid(sk, msg, skb);
        memset(&scm, 0, sizeof(scm));
        scm.creds = *NETLINK_CREDS(skb);
author	Nicolas Dichtel <nicolas.dichtel@6wind.com>	2015-05-07 05:02:53 -0400
committer	David S. Miller <davem@davemloft.net>	2015-05-09 22:15:31 -0400
commit	59324cf35aba5336b611074028777838a963d03b (patch)
tree	67e6903c5a0204281060493d301b62640cb9a066 /net/netlink
parent	cc3a572fe6cf586f478546215bc5d3694357d71e (diff)