Re: [PATCH AUTOSEL 5.16 118/217] net: Enable neighbor sysctls that is save for userns root
From: Jakub Kicinski
Date: Tue Jan 18 2022 - 11:59:48 EST
On Mon, 17 Jan 2022 21:18:01 -0500 Sasha Levin wrote:
> From: xu xin <xu.xin16@xxxxxxxxxx>
>
> [ Upstream commit 8c8b7aa7fb0cf9e1cc9204e6bc6e1353b8393502 ]
>
> Inside netns owned by non-init userns, sysctls about ARP/neighbor is
> currently not visible and configurable.
>
> For the attributes these sysctls correspond to, any modifications make
> effects on the performance of networking(ARP, especilly) only in the
> scope of netns, which does not affect other netns.
>
> Actually, some tools via netlink can modify these attribute. iproute2 is
> an example. see as follows:
>
> $ unshare -ur -n
> $ cat /proc/sys/net/ipv4/neigh/lo/retrans_time
> cat: can't open '/proc/sys/net/ipv4/neigh/lo/retrans_time': No such file
> or directory
> $ ip ntable show dev lo
> inet arp_cache
> dev lo
> refcnt 1 reachable 19494 base_reachable 30000 retrans 1000
> gc_stale 60000 delay_probe 5000 queue 101
> app_probes 0 ucast_probes 3 mcast_probes 3
> anycast_delay 1000 proxy_delay 800 proxy_queue 64 locktime 1000
>
> inet6 ndisc_cache
> dev lo
> refcnt 1 reachable 42394 base_reachable 30000 retrans 1000
> gc_stale 60000 delay_probe 5000 queue 101
> app_probes 0 ucast_probes 3 mcast_probes 3
> anycast_delay 1000 proxy_delay 800 proxy_queue 64 locktime 0
> $ ip ntable change name arp_cache dev <if> retrans 2000
> inet arp_cache
> dev lo
> refcnt 1 reachable 22917 base_reachable 30000 retrans 2000
> gc_stale 60000 delay_probe 5000 queue 101
> app_probes 0 ucast_probes 3 mcast_probes 3
> anycast_delay 1000 proxy_delay 800 proxy_queue 64 locktime 1000
>
> inet6 ndisc_cache
> dev lo
> refcnt 1 reachable 35524 base_reachable 30000 retrans 1000
> gc_stale 60000 delay_probe 5000 queue 101
> app_probes 0 ucast_probes 3 mcast_probes 3
> anycast_delay 1000 proxy_delay 800 proxy_queue 64 locktime 0
>
> Reported-by: Zeal Robot <zealci@xxxxxxxxxx>
> Signed-off-by: xu xin <xu.xin16@xxxxxxxxxx>
> Acked-by: Joanne Koong <joannekoong@xxxxxx>
> Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
> Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
Not a fix, IDK how the "Zeal Robot" "reported" that a sysctl is not
exposed under uesr ns, that's probably what throws off matchers :/
Anyway - it's a feature.