[Devel] [PATCH RHEL7 COMMIT] vzprivnet6: Don't handle neighbor solicit packets in bridge

Thu, 24 Mar 2016 09:09:01 -0700 

The commit is pushed to "branch-rh7-3.10.0-327.10.1.vz7.12.x-ovz" and will 
appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-327.10.1.vz7.12.3
------>
commit 61a86914117e0501c21f8301f5d43a9919ba92d7
Author: Pavel Tikhomirov <[email protected]>
Date:   Thu Mar 24 19:53:38 2016 +0400

    vzprivnet6: Don't handle neighbor solicit packets in bridge
    
    Port diff-vzprivnet6-dont-handle-neigh-solicit-in-bridge
      privnet: Don't consider neighbor solicit packets
    
      Normally these do not get forwarded, but the bridging code does so and
      calls the IP_FORWARD hook on them. Need to allow these packets without
      any checks.
    
      https://jira.sw.ru:9443/browse/PSBM-7078
    
      Ported from rhel5
    
    Signed-off-by: Pavel Tikhomirov <[email protected]>
---
 net/ipv6/netfilter/ip6_vzprivnet.c | 23 +++++++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

diff --git a/net/ipv6/netfilter/ip6_vzprivnet.c 
b/net/ipv6/netfilter/ip6_vzprivnet.c
index f87509f..a3667f8 100644
--- a/net/ipv6/netfilter/ip6_vzprivnet.c
+++ b/net/ipv6/netfilter/ip6_vzprivnet.c
@@ -301,19 +301,34 @@ static int sparse6_del(unsigned netid, u32 *ip, int weak)
        return err;
 }
 
+static inline int is_ipv6_neighbour_solicit(const struct in6_addr *addr)
+{
+       /* see addrconf_addr_solict_mult */
+       return (addr->s6_addr32[0] == __constant_htonl(0xFF020000) &&
+               addr->s6_addr32[1] == 0 &&
+               addr->s6_addr32[2] == __constant_htonl(1) &&
+               (addr->s6_addr32[3] & __constant_htonl(0xFF000000)) == 
__constant_htonl(0xFF000000));
+}
+
 static unsigned int vzprivnet6_hook(struct sk_buff *skb, int can_be_bridge)
 {
        int verdict = NF_DROP;
        struct vzprivnet *dst, *src;
        struct ipv6hdr *hdr;
 
-       if (can_be_bridge && !vzpn_handle_bridged &&
-                       skb_dst(skb) != NULL && skb_dst(skb)->output != 
ip6_output)
-               return NF_ACCEPT;
+       hdr = ipv6_hdr(skb);
+
+       if (can_be_bridge) {
+               if (!vzpn_handle_bridged &&
+                               skb_dst(skb) != NULL &&
+                               skb_dst(skb)->output != ip6_output)
+                       return NF_ACCEPT;
+               if (is_ipv6_neighbour_solicit(&hdr->daddr))
+                       return NF_ACCEPT;
+       }
 
        read_lock(&vzpriv6lock);
 
-       hdr = ipv6_hdr(skb);
        src = vzprivnet6_lookup_net(hdr->saddr.in6_u.u6_addr32);
        dst = vzprivnet6_lookup_net(hdr->daddr.in6_u.u6_addr32);
 
_______________________________________________
Devel mailing list
[email protected]
https://lists.openvz.org/mailman/listinfo/devel

Reply via email to