Re: [Devel] [PATCH 3/5] veth: filter packages accoding with mac addresses

Thu, 04 Jun 2015 04:36:14 -0700 

Hi, Andrew,

please, see the comment below

В Чт, 28/05/2015 в 15:06 +0400, Andrew Vagin пишет:
> Only if the NETIF_F_VENET flag is set.
> 
> A containers doesn't get and send packages with an mac address
> which doesn't belong to it.
> 
> Signed-off-by: Andrew Vagin <[email protected]>
> ---
>  drivers/net/veth.c |   30 ++++++++++++++++++++++++++++++
>  1 files changed, 30 insertions(+), 0 deletions(-)
> 
> diff --git a/drivers/net/veth.c b/drivers/net/veth.c
> index 7f64043..7f98a05 100644
> --- a/drivers/net/veth.c
> +++ b/drivers/net/veth.c
> @@ -19,6 +19,7 @@
>  #include <net/xfrm.h>
>  #include <linux/veth.h>
>  #include <linux/module.h>
> +#include "../../net/bridge/br_private.h"
>  
>  #define DRV_NAME     "veth"
>  #define DRV_VERSION  "1.0"
> @@ -105,6 +106,31 @@ static const struct ethtool_ops veth_ethtool_ops = {
>       .get_ethtool_stats      = veth_get_ethtool_stats,
>  };
>  
> +static int vzethdev_filter(struct sk_buff *skb, struct net_device *dev, 
> struct net_device *rcv)
> +{
> +     /* Filtering */
> +     if (ve_is_super(dev_net(dev)->owner_ve) &&
> +         dev->features & NETIF_F_FIXED_ADDR) {
> +             /* from VE0 to VEX */
> +             if (ve_is_super(dev_net(rcv)->owner_ve))
> +                     return 1;
> +             if (is_multicast_ether_addr(
> +                                     ((struct ethhdr *)skb->data)->h_dest))
> +                     return 1;
> +             if (!br_port_get_rcu(rcv) &&

won't we receive RCU lockdep warnings here, because of rcu_read_lock() is not 
held?

> +                     compare_ether_addr(((struct ethhdr 
> *)skb->data)->h_dest, rcv->dev_addr))
> +                             return 0;
> +     } else if (!ve_is_super(dev_net(dev)->owner_ve) &&
> +                dev->features & NETIF_F_FIXED_ADDR) {
> +             /* from VEX to VE0 */
> +             if (!br_port_get_rcu(dev) &&
> +                     compare_ether_addr(((struct ethhdr 
> *)skb->data)->h_source, dev->dev_addr))
> +                             return 0;
> +     }
> +
> +     return 1;
> +}
> +
>  static netdev_tx_t veth_xmit(struct sk_buff *skb, struct net_device *dev)
>  {
>       struct veth_priv *priv = netdev_priv(dev);
> @@ -124,6 +150,10 @@ static netdev_tx_t veth_xmit(struct sk_buff *skb, struct 
> net_device *dev)
>           rcv->features & NETIF_F_RXCSUM)
>               skb->ip_summed = CHECKSUM_UNNECESSARY;
>  
> +
> +     if (dev->features & NETIF_F_VENET && !vzethdev_filter(skb, dev, rcv))
> +             goto drop;
> +
>       if (likely(dev_forward_skb(rcv, skb) == NET_RX_SUCCESS)) {
>               struct pcpu_vstats *stats = this_cpu_ptr(dev->vstats);
>  


_______________________________________________
Devel mailing list
[email protected]
https://lists.openvz.org/mailman/listinfo/devel

Reply via email to