1
linux/net/ipv4
David S. Miller e4f8b5d4ed [IPV4]: Remove IP_TOS setting privilege checks.
Various RFCs have all sorts of things to say about the CS field of the
DSCP value.  In particular they try to make the distinction between
values that should be used by "user applications" and things like
routing daemons.

This seems to have influenced the CAP_NET_ADMIN check which exists for
IP_TOS socket option settings, but in fact it has an off-by-one error
so it wasn't allowing CS5 which is meant for "user applications" as
well.

Further adding to the inconsistency and brokenness here, IPV6 does not
validate the DSCP values specified for the IPV6_TCLASS socket option.

The real actual uses of these TOS values are system specific in the
final analysis, and these RFC recommendations are just that, "a
recommendation".  In fact the standards very purposefully use
"SHOULD" and "SHOULD NOT" when describing how these values can be
used.

In the final analysis the only clean way to provide consistency here
is to remove the CAP_NET_ADMIN check.  The alternatives just don't
work out:

1) If we add the CAP_NET_ADMIN check to ipv6, this can break existing
   setups.

2) If we just fix the off-by-one error in the class comparison in
   IPV4, certain DSCP values can be used in IPV6 but not IPV4 by
   default.  So people will just ask for a sysctl asking to
   override that.

I checked several other freely available kernel trees and they
do not make any privilege checks in this area like we do.  For
the BSD stacks, this goes back all the way to Stevens Volume 2
and beyond.

Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-12 17:53:29 -08:00
..
ipvs ipvs: Make wrr "no available servers" error message rate-limited 2008-02-05 20:00:10 -08:00
netfilter [NETFILTER]: nf_conntrack: fix ct_extend ->move operation 2008-02-07 17:56:34 -08:00
af_inet.c [NETNS]: Add namespace parameter to ip_route_output_flow. 2008-01-28 15:11:06 -08:00
ah4.c [XFRM]: constify 'struct xfrm_type' 2008-01-31 19:27:20 -08:00
arp.c [NETFILTER]: ebtables: remove casts, use consts 2008-01-31 19:27:33 -08:00
cipso_ipv4.c NetLabel: introduce a new kernel configuration API for NetLabel 2008-02-05 09:44:20 -08:00
datagram.c [IPV4] net/ipv4: Use ipv4_is_<type> 2008-01-28 14:58:15 -08:00
devinet.c [NETNS]: Process interface address manipulation routines in the namespace. 2008-01-31 19:28:39 -08:00
esp4.c [XFRM]: constify 'struct xfrm_type' 2008-01-31 19:27:20 -08:00
fib_frontend.c [NETNS]: Lookup in FIB semantic hashes taking into account the namespace. 2008-01-31 19:28:41 -08:00
fib_hash.c [IPV4] fib: fix route replacement, fib_info is shared 2008-01-31 19:27:10 -08:00
fib_lookup.h [IPV4] FIB_HASH: Reduce memory needs and speedup lookups 2008-01-28 15:02:46 -08:00
fib_rules.c [IPV4]: Consolidate fib_select_default. 2008-01-28 15:11:02 -08:00
fib_semantics.c [NETNS]: Lookup in FIB semantic hashes taking into account the namespace. 2008-01-31 19:28:41 -08:00
fib_trie.c [IPV4]: Formatting fix for /proc/net/fib_trie. 2008-02-05 02:58:45 -08:00
icmp.c [ICMP]: Restore pskb_pull calls in receive function 2008-02-05 03:15:50 -08:00
igmp.c [IGMP]: Optimize kfree_skb in igmp_rcv. 2008-02-09 23:22:26 -08:00
inet_connection_sock.c [SOCK] proto: Add hashinfo member to struct proto 2008-02-03 04:28:52 -08:00
inet_diag.c [NETNS]: Tcp-v6 sockets per-net lookup. 2008-01-31 19:28:20 -08:00
inet_fragment.c [NETNS][FRAGS]: Make the pernet subsystem for fragments. 2008-01-28 15:10:40 -08:00
inet_hashtables.c [INET]: Fix accidentally broken inet(6)_hash_connect's port offset calculations. 2008-02-05 03:14:44 -08:00
inet_lro.c [LRO] Fix lro_mgr->features checks 2008-01-08 23:30:18 -08:00
inet_timewait_sock.c [NET]: prot_inuse cleanups and optimizations 2008-01-28 15:00:36 -08:00
inetpeer.c [INET]: Use list_head-s in inetpeer.c 2007-11-12 21:27:28 -08:00
ip_forward.c [NETFILTER]: Introduce NF_INET_ hook values 2008-01-28 14:53:55 -08:00
ip_fragment.c [NETNS][FRAGS]: Make the pernet subsystem for fragments. 2008-01-28 15:10:40 -08:00
ip_gre.c [NETNS]: Add namespace parameter to ip_route_output_key. 2008-01-28 15:11:07 -08:00
ip_input.c [IPv4] RAW: Compact the API for the kernel 2008-01-28 14:54:28 -08:00
ip_options.c [NETNS]: Add netns parameter to inet_(dev_)add_type. 2008-01-28 15:01:27 -08:00
ip_output.c [NET]: Introducing socket mark socket option. 2008-01-31 19:27:19 -08:00
ip_sockglue.c [IPV4]: Remove IP_TOS setting privilege checks. 2008-02-12 17:53:29 -08:00
ipcomp.c [XFRM]: constify 'struct xfrm_type' 2008-01-31 19:27:20 -08:00
ipconfig.c [NETNS]: Pass namespace through ip_rt_ioctl. 2008-01-28 15:01:34 -08:00
ipip.c [NETNS]: Add namespace parameter to ip_route_output_key. 2008-01-28 15:11:07 -08:00
ipmr.c [NETNS]: Add namespace parameter to ip_route_output_key. 2008-01-28 15:11:07 -08:00
Kconfig [IPSEC]: Use crypto_aead and authenc in ESP 2008-01-31 19:27:02 -08:00
Makefile [IPV4]: Cleanup the sysctl_net_ipv4.c file 2008-01-28 14:56:27 -08:00
netfilter.c [NETNS]: Add namespace parameter to ip_route_output_key. 2008-01-28 15:11:07 -08:00
proc.c [NETNS][FRAGS]: Make the mem counter per-namespace. 2008-01-28 15:10:36 -08:00
protocol.c [IPV4]: align inet_protos[] on SMP 2007-04-25 22:28:20 -07:00
raw.c [RAW]: Wrong content of the /proc/net/raw6. 2008-01-31 19:27:26 -08:00
route.c [IPV4]: route: fix crash ip_route_input 2008-02-07 17:58:20 -08:00
syncookies.c [NETNS]: Add namespace parameter to ip_route_output_key. 2008-01-28 15:11:07 -08:00
sysctl_net_ipv4.c [TCP]: Fix a bug in strategy_allowed_congestion_control 2008-01-31 19:28:23 -08:00
tcp_bic.c [TCP]: Cong.ctrl modules: remove unused good_ack from cong_avoid 2008-01-28 14:55:41 -08:00
tcp_cong.c [TCP]: Uninline tcp_is_cwnd_limited 2008-01-28 15:01:48 -08:00
tcp_cubic.c [TCP]: Cong.ctrl modules: remove unused good_ack from cong_avoid 2008-01-28 14:55:41 -08:00
tcp_diag.c [INET]: Let inet_diag and friends autoload 2007-10-22 02:59:54 -07:00
tcp_highspeed.c [TCP]: Cong.ctrl modules: remove unused good_ack from cong_avoid 2008-01-28 14:55:41 -08:00
tcp_htcp.c [TCP]: Cong.ctrl modules: remove unused good_ack from cong_avoid 2008-01-28 14:55:41 -08:00
tcp_hybla.c [TCP]: Cong.ctrl modules: remove unused good_ack from cong_avoid 2008-01-28 14:55:41 -08:00
tcp_illinois.c [TCP]: Cong.ctrl modules: remove unused good_ack from cong_avoid 2008-01-28 14:55:41 -08:00
tcp_input.c [TCP]: NewReno must count every skb while marking losses 2008-01-31 19:27:22 -08:00
tcp_ipv4.c [SOCK] proto: Add hashinfo member to struct proto 2008-02-03 04:28:52 -08:00
tcp_lp.c [TCP]: Cong.ctrl modules: remove unused good_ack from cong_avoid 2008-01-28 14:55:41 -08:00
tcp_minisocks.c [TCP]: Move sack_ok access to obviously named funcs & cleanup 2007-10-10 16:48:00 -07:00
tcp_output.c [TCP]: Unexport sysctl_tcp_tso_win_divisor 2008-01-31 19:28:32 -08:00
tcp_probe.c [NET]: Make /proc/net per network namespace 2007-10-10 16:49:06 -07:00
tcp_scalable.c [TCP]: Cong.ctrl modules: remove unused good_ack from cong_avoid 2008-01-28 14:55:41 -08:00
tcp_timer.c [TCP]: Do not purge sk_forward_alloc entirely in tcp_delack_timer(). 2008-01-28 15:01:42 -08:00
tcp_vegas.c [TCP]: Cong.ctrl modules: remove unused good_ack from cong_avoid 2008-01-28 14:55:41 -08:00
tcp_vegas.h [TCP]: congestion control API pass RTT in microseconds 2007-07-31 02:27:57 -07:00
tcp_veno.c [TCP]: Cong.ctrl modules: remove unused good_ack from cong_avoid 2008-01-28 14:55:41 -08:00
tcp_westwood.c [TCP]: congestion control API pass RTT in microseconds 2007-07-31 02:27:57 -07:00
tcp_yeah.c [TCP]: Cong.ctrl modules: remove unused good_ack from cong_avoid 2008-01-28 14:55:41 -08:00
tcp.c [SOCK] proto: Add hashinfo member to struct proto 2008-02-03 04:28:52 -08:00
tunnel4.c [INET]: Cleanup the xfrm4_tunnel_(un)register 2007-11-10 21:48:54 -08:00
udp_impl.h [UDP]: Randomize port selection. 2007-10-10 16:48:31 -07:00
udp.c [NETNS]: Udp sockets per-net lookup. 2008-01-31 19:28:21 -08:00
udplite.c [IPV4] UDP,UDPLITE: Sparse: {__udp4_lib,udp,udplite}_err() are of void. 2008-01-28 15:10:24 -08:00
xfrm4_input.c [IPSEC]: Fix transport-mode async resume on intput without netfilter 2008-01-28 15:00:10 -08:00
xfrm4_mode_beet.c [IPSEC] xfrm4_beet_input(): fix an if() 2008-02-05 02:51:39 -08:00
xfrm4_mode_transport.c [IPSEC]: Use IPv6 calling convention as the convention for x->mode->output 2007-10-10 16:55:54 -07:00
xfrm4_mode_tunnel.c [IPSEC]: Rename tunnel-mode functions to avoid collisions with tunnels 2008-01-28 14:59:18 -08:00
xfrm4_output.c [NETFILTER]: Introduce NF_INET_ hook values 2008-01-28 14:53:55 -08:00
xfrm4_policy.c [NET]: should explicitely initialize atomic_t field in struct dst_ops 2008-01-31 19:27:23 -08:00
xfrm4_state.c [IPSEC]: Kill afinfo->nf_post_routing 2008-01-28 14:53:55 -08:00
xfrm4_tunnel.c [IPCOMP]: Fix reception of incompressible packets 2008-01-31 19:27:24 -08:00