From: Vincent Bernat <vincent@bernat.ch>
To: David Miller <davem@davemloft.net>
Cc: netdev@vger.kernel.org, dsahern@gmail.com,
Laurent Fasnacht <fasnacht@protonmail.ch>
Subject: Re: [PATCH net-next v2] net: core: enable SO_BINDTODEVICE for non-root users
Date: Fri, 23 Oct 2020 12:02:20 +0200 [thread overview]
Message-ID: <m37drhs1jn.fsf@bernat.ch> (raw)
In-Reply-To: <20200402.174735.1088204254915987225.davem@davemloft.net> (David Miller's message of "Thu, 02 Apr 2020 17:47:35 -0700 (PDT)")
❦ 2 avril 2020 17:47 -07, David Miller:
>> Currently, SO_BINDTODEVICE requires CAP_NET_RAW. This change allows a
>> non-root user to bind a socket to an interface if it is not already
>> bound.
> ...
>
> Ok I'm convinced now, thanks for your patience.
I've got some user feedback about this patch. I didn't think the patch
would allow to circumvent routing policies on most common setups, but
VPN may setup a default route with a lower metric and an application may
(on purpose or by accident) use SO_BINDTODEVICE to circumvent the lower
metric route:
default via 10.81.0.1 dev tun0 proto static metric 50
default via 192.168.122.1 dev enp1s0 proto dhcp metric 100
I am wondering if we should revert the patch for 5.10 while we can,
waiting for a better solution (and breaking people relying on the new
behavior in 5.9).
Then, I can propose a patch with a sysctl to avoid breaking existing
setups.
--
I must have a prodigious quantity of mind; it takes me as much as a
week sometimes to make it up.
-- Mark Twain, "The Innocents Abroad"
next prev parent reply other threads:[~2020-10-23 13:22 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-31 13:20 [PATCH net-next v2] net: core: enable SO_BINDTODEVICE for non-root users Vincent Bernat
2020-04-02 17:31 ` David Ahern
2020-04-03 0:47 ` David Miller
2020-10-23 10:02 ` Vincent Bernat [this message]
2020-10-23 14:40 ` David Ahern
2020-10-27 7:17 ` Vincent Bernat
2020-10-28 15:22 ` David Ahern
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m37drhs1jn.fsf@bernat.ch \
--to=vincent@bernat.ch \
--cc=davem@davemloft.net \
--cc=dsahern@gmail.com \
--cc=fasnacht@protonmail.ch \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.