From: Kirill Tkhai <ktk...@virtuozzo.com> Allow conntracks to be allocated in case of these rules are inserted.
https://jira.sw.ru/browse/PSBM-51050 Signed-off-by: Kirill Tkhai <ktk...@virtuozzo.com> Reviewed-by: Andrei Vagin <ava...@virtuozzo.com> +++ ve/net: Delete allow_conntrack_allocation() from nf_synproxy Since nf_conntrack_alloc() is not called there anymore, it's not need to allow CT allocation there. https://jira.sw.ru/browse/PSBM-54823 Signed-off-by: Kirill Tkhai <ktk...@virtuozzo.com> +++ ve/net: Allow conntrack allocation if a rule with xt_CT target is inserted https://jira.sw.ru/browse/PSBM-54823 Signed-off-by: Kirill Tkhai <ktk...@virtuozzo.com> (cherry picked from commit 3b277df5b8bc61eed867ed91f9428d6bda703cf1) +++ see also a357b3f80bc8d ("netfilter: nat: add dependencies on conntrack module") 84899a2b9adaf ("netfilter: xtables: remove xt_connmark v0") VZ 8 rebase part https://jira.sw.ru/browse/PSBM-127783 Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalit...@virtuozzo.com> --- net/ipv4/netfilter/ipt_CLUSTERIP.c | 2 ++ net/ipv4/netfilter/ipt_MASQUERADE.c | 6 +++++- net/ipv4/netfilter/ipt_SYNPROXY.c | 2 ++ net/ipv6/netfilter/ip6t_MASQUERADE.c | 6 +++++- net/ipv6/netfilter/ip6t_SYNPROXY.c | 2 ++ net/netfilter/nf_synproxy_core.c | 1 - net/netfilter/xt_CONNSECMARK.c | 2 ++ net/netfilter/xt_CT.c | 1 + net/netfilter/xt_HMARK.c | 1 + net/netfilter/xt_NETMAP.c | 14 ++++++++++++-- net/netfilter/xt_REDIRECT.c | 13 +++++++++++-- net/netfilter/xt_cluster.c | 2 ++ net/netfilter/xt_connbytes.c | 2 ++ net/netfilter/xt_connlabel.c | 3 ++- net/netfilter/xt_connlimit.c | 2 ++ net/netfilter/xt_connmark.c | 2 ++ net/netfilter/xt_conntrack.c | 2 ++ net/netfilter/xt_helper.c | 1 + net/netfilter/xt_ipvs.c | 1 + net/netfilter/xt_nat.c | 14 ++++++++++++-- net/netfilter/xt_socket.c | 10 ++++++++++ net/netfilter/xt_state.c | 2 ++ 22 files changed, 81 insertions(+), 10 deletions(-) diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c index 1c6da8ed4702..cfa4e2559aa8 100644 --- a/net/ipv4/netfilter/ipt_CLUSTERIP.c +++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c @@ -507,6 +507,8 @@ static int clusterip_tg_check(const struct xt_tgchk_param *par) return ret; } + allow_conntrack_allocation(par->net); + if (!par->net->xt.clusterip_deprecated_warning) { pr_info("ipt_CLUSTERIP is deprecated and it will removed soon, " "use xt_cluster instead\n"); diff --git a/net/ipv4/netfilter/ipt_MASQUERADE.c b/net/ipv4/netfilter/ipt_MASQUERADE.c index fd3f9e8a74da..5c710a63223c 100644 --- a/net/ipv4/netfilter/ipt_MASQUERADE.c +++ b/net/ipv4/netfilter/ipt_MASQUERADE.c @@ -32,6 +32,7 @@ MODULE_DESCRIPTION("Xtables: automatic-address SNAT"); static int masquerade_tg_check(const struct xt_tgchk_param *par) { const struct nf_nat_ipv4_multi_range_compat *mr = par->targinfo; + int ret; if (mr->range[0].flags & NF_NAT_RANGE_MAP_IPS) { pr_debug("bad MAP_IPS.\n"); @@ -41,7 +42,10 @@ static int masquerade_tg_check(const struct xt_tgchk_param *par) pr_debug("bad rangesize %u\n", mr->rangesize); return -EINVAL; } - return nf_ct_netns_get(par->net, par->family); + ret = nf_ct_netns_get(par->net, par->family); + if (ret == 0) + allow_conntrack_allocation(par->net); + return ret; } static unsigned int diff --git a/net/ipv4/netfilter/ipt_SYNPROXY.c b/net/ipv4/netfilter/ipt_SYNPROXY.c index 270594004e46..b577ec9bafc5 100644 --- a/net/ipv4/netfilter/ipt_SYNPROXY.c +++ b/net/ipv4/netfilter/ipt_SYNPROXY.c @@ -464,6 +464,8 @@ static int synproxy_tg4_check(const struct xt_tgchk_param *par) } snet->hook_ref4++; + if (err == 0) + allow_conntrack_allocation(par->net); return err; } diff --git a/net/ipv6/netfilter/ip6t_MASQUERADE.c b/net/ipv6/netfilter/ip6t_MASQUERADE.c index 29c7f1915a96..56635322aed5 100644 --- a/net/ipv6/netfilter/ip6t_MASQUERADE.c +++ b/net/ipv6/netfilter/ip6t_MASQUERADE.c @@ -30,10 +30,14 @@ masquerade_tg6(struct sk_buff *skb, const struct xt_action_param *par) static int masquerade_tg6_checkentry(const struct xt_tgchk_param *par) { const struct nf_nat_range2 *range = par->targinfo; + int ret; if (range->flags & NF_NAT_RANGE_MAP_IPS) return -EINVAL; - return nf_ct_netns_get(par->net, par->family); + ret = nf_ct_netns_get(par->net, par->family); + if (ret == 0) + allow_conntrack_allocation(par->net); + return ret; } static void masquerade_tg6_destroy(const struct xt_tgdtor_param *par) diff --git a/net/ipv6/netfilter/ip6t_SYNPROXY.c b/net/ipv6/netfilter/ip6t_SYNPROXY.c index f1953527af81..97b26842e6d3 100644 --- a/net/ipv6/netfilter/ip6t_SYNPROXY.c +++ b/net/ipv6/netfilter/ip6t_SYNPROXY.c @@ -486,6 +486,8 @@ static int synproxy_tg6_check(const struct xt_tgchk_param *par) } snet->hook_ref6++; + if (err == 0) + allow_conntrack_allocation(par->net); return err; } diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c index eae42e67af47..3996ca086ec2 100644 --- a/net/netfilter/nf_synproxy_core.c +++ b/net/netfilter/nf_synproxy_core.c @@ -340,7 +340,6 @@ static int __net_init synproxy_net_init(struct net *net) struct nf_conn *ct; int err = -ENOMEM; - allow_conntrack_allocation(net); ct = nf_ct_tmpl_alloc(net, &nf_ct_zone_dflt, GFP_KERNEL); if (!ct) goto err1; diff --git a/net/netfilter/xt_CONNSECMARK.c b/net/netfilter/xt_CONNSECMARK.c index f3f1caac949b..ad30f5e2aba7 100644 --- a/net/netfilter/xt_CONNSECMARK.c +++ b/net/netfilter/xt_CONNSECMARK.c @@ -110,6 +110,8 @@ static int connsecmark_tg_check(const struct xt_tgchk_param *par) if (ret < 0) pr_info_ratelimited("cannot load conntrack support for proto=%u\n", par->family); + else + allow_conntrack_allocation(par->net); return ret; } diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c index 3ae237da9703..281f9d08f230 100644 --- a/net/netfilter/xt_CT.c +++ b/net/netfilter/xt_CT.c @@ -206,6 +206,7 @@ static int xt_ct_tg_check(const struct xt_tgchk_param *par, } __set_bit(IPS_CONFIRMED_BIT, &ct->status); nf_conntrack_get(&ct->ct_general); + allow_conntrack_allocation(par->net); out: info->ct = ct; return 0; diff --git a/net/netfilter/xt_HMARK.c b/net/netfilter/xt_HMARK.c index 4327e70efea2..c7a4442e3fc1 100644 --- a/net/netfilter/xt_HMARK.c +++ b/net/netfilter/xt_HMARK.c @@ -330,6 +330,7 @@ static int hmark_tg_check(const struct xt_tgchk_param *par) errmsg = "spi-set and port-set can't be combined"; goto err; } + allow_conntrack_allocation(par->net); return 0; err: pr_info_ratelimited("%s\n", errmsg); diff --git a/net/netfilter/xt_NETMAP.c b/net/netfilter/xt_NETMAP.c index 1d437875e15a..b2fde9081c08 100644 --- a/net/netfilter/xt_NETMAP.c +++ b/net/netfilter/xt_NETMAP.c @@ -57,10 +57,15 @@ netmap_tg6(struct sk_buff *skb, const struct xt_action_param *par) static int netmap_tg6_checkentry(const struct xt_tgchk_param *par) { const struct nf_nat_range2 *range = par->targinfo; + int ret; if (!(range->flags & NF_NAT_RANGE_MAP_IPS)) return -EINVAL; - return nf_ct_netns_get(par->net, par->family); + + ret = nf_ct_netns_get(par->net, par->family); + if (ret == 0) + allow_conntrack_allocation(par->net); + return ret; } static void netmap_tg_destroy(const struct xt_tgdtor_param *par) @@ -107,6 +112,7 @@ netmap_tg4(struct sk_buff *skb, const struct xt_action_param *par) static int netmap_tg4_check(const struct xt_tgchk_param *par) { const struct nf_nat_ipv4_multi_range_compat *mr = par->targinfo; + int ret; if (!(mr->range[0].flags & NF_NAT_RANGE_MAP_IPS)) { pr_debug("bad MAP_IPS.\n"); @@ -116,7 +122,11 @@ static int netmap_tg4_check(const struct xt_tgchk_param *par) pr_debug("bad rangesize %u.\n", mr->rangesize); return -EINVAL; } - return nf_ct_netns_get(par->net, par->family); + + ret = nf_ct_netns_get(par->net, par->family); + if (ret == 0) + allow_conntrack_allocation(par->net); + return ret; } static struct xt_target netmap_tg_reg[] __read_mostly = { diff --git a/net/netfilter/xt_REDIRECT.c b/net/netfilter/xt_REDIRECT.c index 5ce9461e979c..f076059f887e 100644 --- a/net/netfilter/xt_REDIRECT.c +++ b/net/netfilter/xt_REDIRECT.c @@ -37,11 +37,15 @@ redirect_tg6(struct sk_buff *skb, const struct xt_action_param *par) static int redirect_tg6_checkentry(const struct xt_tgchk_param *par) { const struct nf_nat_range2 *range = par->targinfo; + int ret; if (range->flags & NF_NAT_RANGE_MAP_IPS) return -EINVAL; - return nf_ct_netns_get(par->net, par->family); + ret = nf_ct_netns_get(par->net, par->family); + if (ret == 0) + allow_conntrack_allocation(par->net); + return ret; } static void redirect_tg_destroy(const struct xt_tgdtor_param *par) @@ -53,6 +57,7 @@ static void redirect_tg_destroy(const struct xt_tgdtor_param *par) static int redirect_tg4_check(const struct xt_tgchk_param *par) { const struct nf_nat_ipv4_multi_range_compat *mr = par->targinfo; + int ret; if (mr->range[0].flags & NF_NAT_RANGE_MAP_IPS) { pr_debug("bad MAP_IPS.\n"); @@ -62,7 +67,11 @@ static int redirect_tg4_check(const struct xt_tgchk_param *par) pr_debug("bad rangesize %u.\n", mr->rangesize); return -EINVAL; } - return nf_ct_netns_get(par->net, par->family); + + ret = nf_ct_netns_get(par->net, par->family); + if (ret == 0) + allow_conntrack_allocation(par->net); + return ret; } static unsigned int diff --git a/net/netfilter/xt_cluster.c b/net/netfilter/xt_cluster.c index 51d0c257e7a5..8fac1d57f462 100644 --- a/net/netfilter/xt_cluster.c +++ b/net/netfilter/xt_cluster.c @@ -141,6 +141,8 @@ static int xt_cluster_mt_checkentry(const struct xt_mtchk_param *par) if (ret < 0) pr_info_ratelimited("cannot load conntrack support for proto=%u\n", par->family); + else + allow_conntrack_allocation(par->net); return ret; } diff --git a/net/netfilter/xt_connbytes.c b/net/netfilter/xt_connbytes.c index 93cb018c3055..ffb3b6b420cb 100644 --- a/net/netfilter/xt_connbytes.c +++ b/net/netfilter/xt_connbytes.c @@ -114,6 +114,8 @@ static int connbytes_mt_check(const struct xt_mtchk_param *par) if (ret < 0) pr_info_ratelimited("cannot load conntrack support for proto=%u\n", par->family); + else + allow_conntrack_allocation(par->net); /* * This filter cannot function correctly unless connection tracking diff --git a/net/netfilter/xt_connlabel.c b/net/netfilter/xt_connlabel.c index 4fa4efd24353..3e8e36176ac8 100644 --- a/net/netfilter/xt_connlabel.c +++ b/net/netfilter/xt_connlabel.c @@ -67,7 +67,8 @@ static int connlabel_mt_check(const struct xt_mtchk_param *par) pr_info_ratelimited("cannot load conntrack support for proto=%u\n", par->family); return ret; - } + } else + allow_conntrack_allocation(par->net); ret = nf_connlabels_get(par->net, info->bit); if (ret < 0) diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c index baf23fd71923..136c3b7af0e1 100644 --- a/net/netfilter/xt_connlimit.c +++ b/net/netfilter/xt_connlimit.c @@ -98,6 +98,8 @@ static int connlimit_mt_check(const struct xt_mtchk_param *par) if (IS_ERR(info->data)) return PTR_ERR(info->data); + allow_conntrack_allocation(par->net); + return 0; } diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c index 29c38aa7f726..8ac6ee052543 100644 --- a/net/netfilter/xt_connmark.c +++ b/net/netfilter/xt_connmark.c @@ -149,6 +149,8 @@ static int connmark_mt_check(const struct xt_mtchk_param *par) if (ret < 0) pr_info_ratelimited("cannot load conntrack support for proto=%u\n", par->family); + else + allow_conntrack_allocation(par->net); return ret; } diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c index df80fe7d391c..c9ee5096f695 100644 --- a/net/netfilter/xt_conntrack.c +++ b/net/netfilter/xt_conntrack.c @@ -274,6 +274,8 @@ static int conntrack_mt_check(const struct xt_mtchk_param *par) if (ret < 0) pr_info_ratelimited("cannot load conntrack support for proto=%u\n", par->family); + else + allow_conntrack_allocation(par->net); return ret; } diff --git a/net/netfilter/xt_helper.c b/net/netfilter/xt_helper.c index fd077aeaaed9..51d1c088b74a 100644 --- a/net/netfilter/xt_helper.c +++ b/net/netfilter/xt_helper.c @@ -66,6 +66,7 @@ static int helper_mt_check(const struct xt_mtchk_param *par) return ret; } info->name[sizeof(info->name) - 1] = '\0'; + allow_conntrack_allocation(par->net); return 0; } diff --git a/net/netfilter/xt_ipvs.c b/net/netfilter/xt_ipvs.c index 1d950a6100af..c6f145b15e65 100644 --- a/net/netfilter/xt_ipvs.c +++ b/net/netfilter/xt_ipvs.c @@ -163,6 +163,7 @@ static int ipvs_mt_check(const struct xt_mtchk_param *par) return -EINVAL; } + allow_conntrack_allocation(par->net); return 0; } diff --git a/net/netfilter/xt_nat.c b/net/netfilter/xt_nat.c index 61eabd171186..cea8fb83eccc 100644 --- a/net/netfilter/xt_nat.c +++ b/net/netfilter/xt_nat.c @@ -19,17 +19,27 @@ static int xt_nat_checkentry_v0(const struct xt_tgchk_param *par) { const struct nf_nat_ipv4_multi_range_compat *mr = par->targinfo; + int ret; if (mr->rangesize != 1) { pr_info_ratelimited("multiple ranges no longer supported\n"); return -EINVAL; } - return nf_ct_netns_get(par->net, par->family); + + ret = nf_ct_netns_get(par->net, par->family); + if (ret == 0) + allow_conntrack_allocation(par->net); + return ret; } static int xt_nat_checkentry(const struct xt_tgchk_param *par) { - return nf_ct_netns_get(par->net, par->family); + int ret; + + ret = nf_ct_netns_get(par->net, par->family); + if (ret == 0) + allow_conntrack_allocation(par->net); + return ret; } static void xt_nat_destroy(const struct xt_tgdtor_param *par) diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c index ada144e5645b..cb57ccdcb1b0 100644 --- a/net/netfilter/xt_socket.c +++ b/net/netfilter/xt_socket.c @@ -169,6 +169,12 @@ static int socket_mt_enable_defrag(struct net *net, int family) return 0; } +static int socket_mt_v0_check(const struct xt_mtchk_param *par) +{ + allow_conntrack_allocation(par->net); + return 0; +} + static int socket_mt_v1_check(const struct xt_mtchk_param *par) { const struct xt_socket_mtinfo1 *info = (struct xt_socket_mtinfo1 *) par->matchinfo; @@ -183,6 +189,7 @@ static int socket_mt_v1_check(const struct xt_mtchk_param *par) info->flags & ~XT_SOCKET_FLAGS_V1); return -EINVAL; } + allow_conntrack_allocation(par->net); return 0; } @@ -200,6 +207,7 @@ static int socket_mt_v2_check(const struct xt_mtchk_param *par) info->flags & ~XT_SOCKET_FLAGS_V2); return -EINVAL; } + allow_conntrack_allocation(par->net); return 0; } @@ -217,6 +225,7 @@ static int socket_mt_v3_check(const struct xt_mtchk_param *par) info->flags & ~XT_SOCKET_FLAGS_V3); return -EINVAL; } + allow_conntrack_allocation(par->net); return 0; } @@ -226,6 +235,7 @@ static struct xt_match socket_mt_reg[] __read_mostly = { .revision = 0, .family = NFPROTO_IPV4, .match = socket_mt4_v0, + .checkentry = socket_mt_v0_check, .hooks = (1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_IN), .me = THIS_MODULE, diff --git a/net/netfilter/xt_state.c b/net/netfilter/xt_state.c index 0b41c0befe3c..f6f1c7668210 100644 --- a/net/netfilter/xt_state.c +++ b/net/netfilter/xt_state.c @@ -46,6 +46,8 @@ static int state_mt_check(const struct xt_mtchk_param *par) if (ret < 0) pr_info_ratelimited("cannot load conntrack support for proto=%u\n", par->family); + else + allow_conntrack_allocation(par->net); return ret; } -- 2.28.0 _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel