On Mon, 17 Jan 2022 21:18:01 -0500 Sasha Levin wrote: > From: xu xin <xu.xin16@xxxxxxxxxx> > > [ Upstream commit 8c8b7aa7fb0cf9e1cc9204e6bc6e1353b8393502 ] > > Inside netns owned by non-init userns, sysctls about ARP/neighbor is > currently not visible and configurable. > > For the attributes these sysctls correspond to, any modifications make > effects on the performance of networking(ARP, especilly) only in the > scope of netns, which does not affect other netns. > > Actually, some tools via netlink can modify these attribute. iproute2 is > an example. see as follows: > > $ unshare -ur -n > $ cat /proc/sys/net/ipv4/neigh/lo/retrans_time > cat: can't open '/proc/sys/net/ipv4/neigh/lo/retrans_time': No such file > or directory > $ ip ntable show dev lo > inet arp_cache > dev lo > refcnt 1 reachable 19494 base_reachable 30000 retrans 1000 > gc_stale 60000 delay_probe 5000 queue 101 > app_probes 0 ucast_probes 3 mcast_probes 3 > anycast_delay 1000 proxy_delay 800 proxy_queue 64 locktime 1000 > > inet6 ndisc_cache > dev lo > refcnt 1 reachable 42394 base_reachable 30000 retrans 1000 > gc_stale 60000 delay_probe 5000 queue 101 > app_probes 0 ucast_probes 3 mcast_probes 3 > anycast_delay 1000 proxy_delay 800 proxy_queue 64 locktime 0 > $ ip ntable change name arp_cache dev <if> retrans 2000 > inet arp_cache > dev lo > refcnt 1 reachable 22917 base_reachable 30000 retrans 2000 > gc_stale 60000 delay_probe 5000 queue 101 > app_probes 0 ucast_probes 3 mcast_probes 3 > anycast_delay 1000 proxy_delay 800 proxy_queue 64 locktime 1000 > > inet6 ndisc_cache > dev lo > refcnt 1 reachable 35524 base_reachable 30000 retrans 1000 > gc_stale 60000 delay_probe 5000 queue 101 > app_probes 0 ucast_probes 3 mcast_probes 3 > anycast_delay 1000 proxy_delay 800 proxy_queue 64 locktime 0 > > Reported-by: Zeal Robot <zealci@xxxxxxxxxx> > Signed-off-by: xu xin <xu.xin16@xxxxxxxxxx> > Acked-by: Joanne Koong <joannekoong@xxxxxx> > Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx> > Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx> Not a fix, IDK how the "Zeal Robot" "reported" that a sysctl is not exposed under uesr ns, that's probably what throws off matchers :/ Anyway - it's a feature.
