From: Vladimir Davydov <vdavy...@virtuozzo.com> ip_vti devices lack NETIF_F_VIRTUAL, so they can't be created inside a container. Problem is a device of this kind is created on net ns init if the module is loaded, as a result a container start fails with EPERM.
We could allow ip_vti inside container (as well as other net devices, which I would really like to do), but this is insecure and might break migration, so let's keep it disabled and fix the issue by silently skipping ip_vti per net init if running inside a ve. https://jira.sw.ru/browse/PSBM-48698 Signed-off-by: Vladimir Davydov <vdavy...@virtuozzo.com> Rebased to RHEL8 beta kernel: Signed-off-by: Konstantin Khorenko <khore...@virtuozzo.com> https://jira.sw.ru/browse/PSBM-133986 (cherry picked from commit d2fc3d088444fff6c12b27b3754de2ace1ffaff2) Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalit...@virtuozzo.com> --- net/ipv4/ip_vti.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c index eb560eecee08..f9642e4ebda3 100644 --- a/net/ipv4/ip_vti.c +++ b/net/ipv4/ip_vti.c @@ -39,6 +39,8 @@ #include <net/net_namespace.h> #include <net/netns/generic.h> +#include <linux/ve.h> + static struct rtnl_link_ops vti_link_ops __read_mostly; static unsigned int vti_net_id __read_mostly; @@ -52,6 +54,9 @@ static int vti_input(struct sk_buff *skb, int nexthdr, __be32 spi, struct net *net = dev_net(skb->dev); struct ip_tunnel_net *itn = net_generic(net, vti_net_id); + if (itn == NULL) + return -EINVAL; + tunnel = ip_tunnel_lookup(itn, skb->dev->ifindex, TUNNEL_NO_KEY, iph->saddr, iph->daddr, 0); if (tunnel) { @@ -323,6 +328,9 @@ static int vti4_err(struct sk_buff *skb, u32 info) int protocol = iph->protocol; struct ip_tunnel_net *itn = net_generic(net, vti_net_id); + if (itn == NULL) + return -1; + tunnel = ip_tunnel_lookup(itn, skb->dev->ifindex, TUNNEL_NO_KEY, iph->daddr, iph->saddr, 0); if (!tunnel) @@ -501,6 +509,11 @@ static int __net_init vti_init_net(struct net *net) int err; struct ip_tunnel_net *itn; + if (!ve_is_super(net->owner_ve)) { + net_generic_free(net, vti_net_id); + return 0; + } + err = ip_tunnel_init_net(net, vti_net_id, &vti_link_ops, "ip_vti0"); if (err) return err; @@ -567,6 +580,9 @@ static int vti_newlink(struct net *src_net, struct net_device *dev, struct ip_tunnel_parm parms; __u32 fwmark = 0; + if (net_generic(dev_net(dev), vti_net_id) == NULL) + return -EACCES; + vti_netlink_parms(data, &parms, &fwmark); return ip_tunnel_newlink(dev, tb, &parms, fwmark); } -- 2.31.1 _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel