[Devel] [PATCH 3/5] veth: filter packages accoding with mac addresses

Thu, 28 May 2015 04:19:44 -0700 

Only if the NETIF_F_VENET flag is set.

A containers doesn't get and send packages with an mac address
which doesn't belong to it.

Signed-off-by: Andrew Vagin <[email protected]>
---
 drivers/net/veth.c |   30 ++++++++++++++++++++++++++++++
 1 files changed, 30 insertions(+), 0 deletions(-)

diff --git a/drivers/net/veth.c b/drivers/net/veth.c
index 7f64043..7f98a05 100644
--- a/drivers/net/veth.c
+++ b/drivers/net/veth.c
@@ -19,6 +19,7 @@
 #include <net/xfrm.h>
 #include <linux/veth.h>
 #include <linux/module.h>
+#include "../../net/bridge/br_private.h"
 
 #define DRV_NAME       "veth"
 #define DRV_VERSION    "1.0"
@@ -105,6 +106,31 @@ static const struct ethtool_ops veth_ethtool_ops = {
        .get_ethtool_stats      = veth_get_ethtool_stats,
 };
 
+static int vzethdev_filter(struct sk_buff *skb, struct net_device *dev, struct 
net_device *rcv)
+{
+       /* Filtering */
+       if (ve_is_super(dev_net(dev)->owner_ve) &&
+           dev->features & NETIF_F_FIXED_ADDR) {
+               /* from VE0 to VEX */
+               if (ve_is_super(dev_net(rcv)->owner_ve))
+                       return 1;
+               if (is_multicast_ether_addr(
+                                       ((struct ethhdr *)skb->data)->h_dest))
+                       return 1;
+               if (!br_port_get_rcu(rcv) &&
+                       compare_ether_addr(((struct ethhdr 
*)skb->data)->h_dest, rcv->dev_addr))
+                               return 0;
+       } else if (!ve_is_super(dev_net(dev)->owner_ve) &&
+                  dev->features & NETIF_F_FIXED_ADDR) {
+               /* from VEX to VE0 */
+               if (!br_port_get_rcu(dev) &&
+                       compare_ether_addr(((struct ethhdr 
*)skb->data)->h_source, dev->dev_addr))
+                               return 0;
+       }
+
+       return 1;
+}
+
 static netdev_tx_t veth_xmit(struct sk_buff *skb, struct net_device *dev)
 {
        struct veth_priv *priv = netdev_priv(dev);
@@ -124,6 +150,10 @@ static netdev_tx_t veth_xmit(struct sk_buff *skb, struct 
net_device *dev)
            rcv->features & NETIF_F_RXCSUM)
                skb->ip_summed = CHECKSUM_UNNECESSARY;
 
+
+       if (dev->features & NETIF_F_VENET && !vzethdev_filter(skb, dev, rcv))
+               goto drop;
+
        if (likely(dev_forward_skb(rcv, skb) == NET_RX_SUCCESS)) {
                struct pcpu_vstats *stats = this_cpu_ptr(dev->vstats);
 
-- 
1.7.1

_______________________________________________
Devel mailing list
[email protected]
https://lists.openvz.org/mailman/listinfo/devel

Reply via email to