From: Stanislav Kinsburskiy <[email protected]> Rebasing and splitting netfilters sybsystem (port 66-diff-ve-net-netfilter-combined). Part 1.
https://jira.sw.ru/browse/PSBM-18322 Signed-off-by: Kirill Tkhai <[email protected]> khorenko@: rebase to kernel-3.10.0-229.7.2.el7: * hunk for include/net/netfilter/xt_log.h has been dropped cause the file absents now * couple of CAP_NET_ADMIN -> CAP_NET_ADMIN + CAP_VE_NET_ADMIN replacements have been dropped because Initial patch already have proper version +++ ve/net/printk: net_veboth_ratelimited introduced net_veboth_ratelimited is required to save net-ratelimited messages both into host and into containers dmesg buffers Signed-off-by: Vasily Averin <[email protected]> Acked-by: Kirill Tkhai <[email protected]> ============================================== net: remove CAP_VE_NET_ADMIN from "ve/netfilter: Basic ve transformations" https://jira.sw.ru/browse/PSBM-39077 Signed-off-by: Andrew Vagin <[email protected]> Reviewed-by: Vladimir Davydov <[email protected]> (cherry picked from commit 5c8089d) VZ 8 rebase part https://jira.sw.ru/browse/PSBM-127783 Signed-off-by: Alexander Mikhalitsyn <[email protected]> --- include/linux/netfilter/x_tables.h | 17 ++++++++ net/ipv4/netfilter/ip_tables.c | 15 +++++-- net/ipv4/netfilter/ipt_REJECT.c | 4 +- net/ipv6/netfilter/ip6_tables.c | 3 ++ net/netfilter/x_tables.c | 70 +++++++++++++++--------------- net/netfilter/xt_TCPMSS.c | 12 ++--- net/netfilter/xt_limit.c | 4 +- 7 files changed, 79 insertions(+), 46 deletions(-) diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h index 9077b3ebea08..781ac5c3649e 100644 --- a/include/linux/netfilter/x_tables.h +++ b/include/linux/netfilter/x_tables.h @@ -531,4 +531,21 @@ int xt_compat_check_entry_offsets(const void *base, const char *elems, unsigned int next_offset); #endif /* CONFIG_COMPAT */ + +#ifdef CONFIG_VE +static inline bool ve_xt_table_forbidden(struct xt_table *xt) +{ + /* + * The only purpose to have this check as a separate + * helper is "grep"-a-bility + * + * If this helper hit it means that a VE has been + * configured without the particular xt_table support + */ + return xt == NULL; +} +#else +static inline bool ve_xt_table_forbidden(struct xt_table *xt) { return true; } +#endif + #endif /* _X_TABLES_H */ diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c index e3bc52578af3..2e9b53e15f70 100644 --- a/net/ipv4/netfilter/ip_tables.c +++ b/net/ipv4/netfilter/ip_tables.c @@ -242,6 +242,9 @@ ipt_do_table(struct sk_buff *skb, struct xt_action_param acpar; unsigned int addend; + if (ve_xt_table_forbidden(table)) + return NF_ACCEPT; + /* Initialization */ stackidx = 0; ip = ip_hdr(skb); @@ -391,9 +394,12 @@ mark_source_chains(const struct xt_table_info *newinfo, = (void *)ipt_get_target_c(e); int visited = e->comefrom & (1 << hook); - if (e->comefrom & (1 << NF_INET_NUMHOOKS)) + if (e->comefrom & (1 << NF_INET_NUMHOOKS)) { + ve_printk(VE_LOG, "iptables: loop hook %u pos " + "%u %08X.\n", + hook, pos, e->comefrom); return 0; - + } e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS)); /* Unconditional return/END. */ @@ -1537,6 +1543,9 @@ compat_do_replace(struct net *net, void __user *user, unsigned int len) return ret; } +static int +do_ipt_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len); + static int compat_do_ipt_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len) @@ -1556,7 +1565,7 @@ compat_do_ipt_set_ctl(struct sock *sk, int cmd, void __user *user, break; default: - ret = -EINVAL; + ret = do_ipt_set_ctl(sk, cmd, user, len); } return ret; diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c index e8bed3390e58..36c9a96d994e 100644 --- a/net/ipv4/netfilter/ipt_REJECT.c +++ b/net/ipv4/netfilter/ipt_REJECT.c @@ -74,13 +74,13 @@ static int reject_tg_check(const struct xt_tgchk_param *par) const struct ipt_entry *e = par->entryinfo; if (rejinfo->with == IPT_ICMP_ECHOREPLY) { - pr_info_ratelimited("ECHOREPLY no longer supported.\n"); + ve_printk_ratelimited(VE_LOG, "ECHOREPLY no longer supported.\n"); return -EINVAL; } else if (rejinfo->with == IPT_TCP_RESET) { /* Must specify that it's a TCP packet */ if (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & XT_INV_PROTO)) { - pr_info_ratelimited("TCP_RESET invalid for non-tcp\n"); + ve_printk_ratelimited(VE_LOG, "TCP_RESET invalid for non-tcp\n"); return -EINVAL; } } diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c index 238a1f135499..ead7ba41223a 100644 --- a/net/ipv6/netfilter/ip6_tables.c +++ b/net/ipv6/netfilter/ip6_tables.c @@ -266,6 +266,9 @@ ip6t_do_table(struct sk_buff *skb, struct xt_action_param acpar; unsigned int addend; + if (ve_xt_table_forbidden(table)) + return NF_ACCEPT; + /* Initialization */ stackidx = 0; indev = state->in ? state->in->name : nulldevname; diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c index c5014610d3b9..596cdd2cc77b 100644 --- a/net/netfilter/x_tables.c +++ b/net/netfilter/x_tables.c @@ -473,35 +473,36 @@ int xt_check_match(struct xt_mtchk_param *par, * ebt_among is exempt from centralized matchsize checking * because it uses a dynamic-size data set. */ - pr_err_ratelimited("%s_tables: %s.%u match: invalid size %u (kernel) != (user) %u\n", - xt_prefix[par->family], par->match->name, - par->match->revision, - XT_ALIGN(par->match->matchsize), size); + ve_printk_ratelimited(VE_LOG, "%s_tables: %s.%u match: invalid size " + "%u (kernel) != (user) %u\n", + xt_prefix[par->family], par->match->name, + par->match->revision, + XT_ALIGN(par->match->matchsize), size); return -EINVAL; } if (par->match->table != NULL && strcmp(par->match->table, par->table) != 0) { - pr_info_ratelimited("%s_tables: %s match: only valid in %s table, not %s\n", - xt_prefix[par->family], par->match->name, - par->match->table, par->table); + ve_printk_ratelimited(VE_LOG, "%s_tables: %s match: only valid in %s table, not %s\n", + xt_prefix[par->family], par->match->name, + par->match->table, par->table); return -EINVAL; } if (par->match->hooks && (par->hook_mask & ~par->match->hooks) != 0) { char used[64], allow[64]; - pr_info_ratelimited("%s_tables: %s match: used from hooks %s, but only valid from %s\n", - xt_prefix[par->family], par->match->name, - textify_hooks(used, sizeof(used), - par->hook_mask, par->family), - textify_hooks(allow, sizeof(allow), - par->match->hooks, - par->family)); + ve_printk_ratelimited(VE_LOG, "%s_tables: %s match: used from hooks %s, but only " + "valid from %s\n", + xt_prefix[par->family], par->match->name, + textify_hooks(used, sizeof(used), par->hook_mask, + par->family), + textify_hooks(allow, sizeof(allow), par->match->hooks, + par->family)); return -EINVAL; } if (par->match->proto && (par->match->proto != proto || inv_proto)) { - pr_info_ratelimited("%s_tables: %s match: only valid for protocol %u\n", - xt_prefix[par->family], par->match->name, - par->match->proto); + ve_printk_ratelimited(VE_LOG, "%s_tables: %s match: only valid for protocol %u\n", + xt_prefix[par->family], par->match->name, + par->match->proto); return -EINVAL; } if (par->match->checkentry != NULL) { @@ -991,35 +992,36 @@ int xt_check_target(struct xt_tgchk_param *par, int ret; if (XT_ALIGN(par->target->targetsize) != size) { - pr_err_ratelimited("%s_tables: %s.%u target: invalid size %u (kernel) != (user) %u\n", - xt_prefix[par->family], par->target->name, - par->target->revision, - XT_ALIGN(par->target->targetsize), size); + ve_printk_ratelimited(VE_LOG, "%s_tables: %s.%u target: invalid size " + "%u (kernel) != (user) %u\n", + xt_prefix[par->family], par->target->name, + par->target->revision, + XT_ALIGN(par->target->targetsize), size); return -EINVAL; } if (par->target->table != NULL && strcmp(par->target->table, par->table) != 0) { - pr_info_ratelimited("%s_tables: %s target: only valid in %s table, not %s\n", - xt_prefix[par->family], par->target->name, - par->target->table, par->table); + ve_printk_ratelimited(VE_LOG, "%s_tables: %s target: only valid in %s table, not %s\n", + xt_prefix[par->family], par->target->name, + par->target->table, par->table); return -EINVAL; } if (par->target->hooks && (par->hook_mask & ~par->target->hooks) != 0) { char used[64], allow[64]; - pr_info_ratelimited("%s_tables: %s target: used from hooks %s, but only usable from %s\n", - xt_prefix[par->family], par->target->name, - textify_hooks(used, sizeof(used), - par->hook_mask, par->family), - textify_hooks(allow, sizeof(allow), - par->target->hooks, - par->family)); + ve_printk_ratelimited(VE_LOG, "%s_tables: %s target: used from hooks %s, but only " + "usable from %s\n", + xt_prefix[par->family], par->target->name, + textify_hooks(used, sizeof(used), par->hook_mask, + par->family), + textify_hooks(allow, sizeof(allow), par->target->hooks, + par->family)); return -EINVAL; } if (par->target->proto && (par->target->proto != proto || inv_proto)) { - pr_info_ratelimited("%s_tables: %s target: only valid for protocol %u\n", - xt_prefix[par->family], par->target->name, - par->target->proto); + ve_printk_ratelimited(VE_LOG, "%s_tables: %s target: only valid for protocol %u\n", + xt_prefix[par->family], par->target->name, + par->target->proto); return -EINVAL; } if (par->target->checkentry != NULL) { diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c index 98efb202f8b4..a8bd2680f8df 100644 --- a/net/netfilter/xt_TCPMSS.c +++ b/net/netfilter/xt_TCPMSS.c @@ -108,7 +108,7 @@ tcpmss_mangle_packet(struct sk_buff *skb, unsigned int min_mtu = min(dst_mtu(skb_dst(skb)), in_mtu); if (min_mtu <= minlen) { - net_err_ratelimited("unknown or invalid path-MTU (%u)\n", + net_velog_ratelimited("unknown or invalid path-MTU (%u)\n", min_mtu); return -1; } @@ -273,7 +273,8 @@ static int tcpmss_tg4_check(const struct xt_tgchk_param *par) (par->hook_mask & ~((1 << NF_INET_FORWARD) | (1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_POST_ROUTING))) != 0) { - pr_info_ratelimited("path-MTU clamping only supported in FORWARD, OUTPUT and POSTROUTING hooks\n"); + ve_printk_ratelimited(VE_LOG, "path-MTU clamping only supported in " + "FORWARD, OUTPUT and POSTROUTING hooks\n"); return -EINVAL; } if (par->nft_compat) @@ -282,7 +283,7 @@ static int tcpmss_tg4_check(const struct xt_tgchk_param *par) xt_ematch_foreach(ematch, e) if (find_syn_match(ematch)) return 0; - pr_info_ratelimited("Only works on TCP SYN packets\n"); + ve_printk_ratelimited(VE_LOG, "Only works on TCP SYN packets\n"); return -EINVAL; } @@ -297,7 +298,8 @@ static int tcpmss_tg6_check(const struct xt_tgchk_param *par) (par->hook_mask & ~((1 << NF_INET_FORWARD) | (1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_POST_ROUTING))) != 0) { - pr_info_ratelimited("path-MTU clamping only supported in FORWARD, OUTPUT and POSTROUTING hooks\n"); + ve_printk_ratelimited(VE_LOG, "path-MTU clamping only supported in " + "FORWARD, OUTPUT and POSTROUTING hooks\n"); return -EINVAL; } if (par->nft_compat) @@ -306,7 +308,7 @@ static int tcpmss_tg6_check(const struct xt_tgchk_param *par) xt_ematch_foreach(ematch, e) if (find_syn_match(ematch)) return 0; - pr_info_ratelimited("Only works on TCP SYN packets\n"); + ve_printk_ratelimited(VE_LOG, "Only works on TCP SYN packets\n"); return -EINVAL; } #endif diff --git a/net/netfilter/xt_limit.c b/net/netfilter/xt_limit.c index 9f098ecb2449..01ef88265879 100644 --- a/net/netfilter/xt_limit.c +++ b/net/netfilter/xt_limit.c @@ -106,8 +106,8 @@ static int limit_mt_check(const struct xt_mtchk_param *par) /* Check for overflow. */ if (r->burst == 0 || user2credits(r->avg * r->burst) < user2credits(r->avg)) { - pr_info_ratelimited("Overflow, try lower: %u/%u\n", - r->avg, r->burst); + ve_printk_ratelimited(VE_LOG, "Overflow, try lower: %u/%u\n", + r->avg, r->burst); return -ERANGE; } -- 2.28.0 _______________________________________________ Devel mailing list [email protected] https://lists.openvz.org/mailman/listinfo/devel
