The commit is pushed to "branch-rh7-3.10.0-327.10.1.vz7.12.x-ovz" and will
appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-327.10.1.vz7.12.3
------>
commit d4cfc9b687f5f51eb733afcac00d252c7313ed5c
Author: Pavel Tikhomirov <[email protected]>
Date: Thu Mar 24 19:53:45 2016 +0400
vzprivnet: Do not execute vzprivnet_hook inside CT
changes:
1) there is no skb->owner_env so use skb->dev->nd_net->owner_ve
having ve of device on which we have an operation
2) add the same check to ipv6 hooks vzprivnet6_hook
Port diff-vzprivnet-netfilter-do-not-do-vzprivnet_hook-inside-CT
netfilter: do not do vzprivnet_hook inside CT
In container we drop packets in ip_rcv->ip_forward based on
vzprivnet_classify, as entries_root and vzpriv_search are not
virtualized it uses hosts vz private networks in checks.
So if we have private network say 172.0.0.0/8 on host:
cat /proc/vz/privnet/legacy
172.0.0.0/8/32
Which has vzprivnet->weak == VZPRIVNET_STRONG(0) any packet
which came to CT and for instance is DNAT'ed to 172.17.0.2 will
be dropped in vzprivnet_hook.
Need this for docker, as it uses 172.17.* subnet for docker
containers, and if we have set vzprivnet mentioned above, docker
DNAT port frowarding will not work in CTs.
check:
set vzprivnet:
host@ echo "+172.0.0.0/8/32" > /proc/vz/privnet/legacy
setup docker nginx container in default docker-ready PCS6CT:
docker-ready-ct@ docker run -d -p 8080:80 nginx
connect from host to container ip:
host@ curl $docker-ready-ct-ip:8080
with patch - will work, without - hang.
Odin #2011361 from customer Conetix Pty. Ltd.
https://jira.sw.ru/browse/PSBM-35111
Signed-off-by: Pavel Tikhomirov <[email protected]>
Signed-off-by: Pavel Tikhomirov <[email protected]>
---
net/ipv4/netfilter/ip_vzprivnet.c | 3 +++
net/ipv6/netfilter/ip6_vzprivnet.c | 3 +++
2 files changed, 6 insertions(+)
diff --git a/net/ipv4/netfilter/ip_vzprivnet.c
b/net/ipv4/netfilter/ip_vzprivnet.c
index 67f108e..687ad60 100644
--- a/net/ipv4/netfilter/ip_vzprivnet.c
+++ b/net/ipv4/netfilter/ip_vzprivnet.c
@@ -250,6 +250,9 @@ static unsigned int vzprivnet_hook(struct sk_buff *skb, int
can_be_bridge)
struct dst_entry *dst;
unsigned int pmark = VZPRIV_MARK_UNKNOWN;
+ if (!ve_is_super(skb->dev->nd_net->owner_ve))
+ return NF_ACCEPT;
+
dst = skb_dst(skb);
if (dst != NULL) {
if (can_be_bridge && dst->output != ip_output) { /* bridge */
diff --git a/net/ipv6/netfilter/ip6_vzprivnet.c
b/net/ipv6/netfilter/ip6_vzprivnet.c
index 317a0e6..654f1c2 100644
--- a/net/ipv6/netfilter/ip6_vzprivnet.c
+++ b/net/ipv6/netfilter/ip6_vzprivnet.c
@@ -478,6 +478,9 @@ static unsigned int vzprivnet6_hook(struct sk_buff *skb,
int can_be_bridge)
struct vzprivnet *dst, *src;
struct ipv6hdr *hdr;
+ if (!ve_is_super(skb->dev->nd_net->owner_ve))
+ return NF_ACCEPT;
+
hdr = ipv6_hdr(skb);
if (can_be_bridge) {
_______________________________________________
Devel mailing list
[email protected]
https://lists.openvz.org/mailman/listinfo/devel
