The commit is pushed to "branch-rh9-5.14.vz9.1.x-ovz" and will appear at
https://src.openvz.org/scm/ovz/vzkernel.git
after ark-5.14
------>
commit d278b36ce34a61d786acb2cf5f61ba47a230b0c5
Author: Vladimir Davydov <vdavydov....@gmail.com>
Date: Fri Sep 24 14:50:19 2021 +0300
ve/net: ip_vti: skip per net init in ve
ip_vti devices lack NETIF_F_VIRTUAL, so they can't be created inside a
container. Problem is a device of this kind is created on net ns init if
the module is loaded, as a result a container start fails with EPERM.
We could allow ip_vti inside container (as well as other net devices,
which I would really like to do), but this is insecure and might break
migration, so let's keep it disabled and fix the issue by silently
skipping ip_vti per net init if running inside a ve.
https://jira.sw.ru/browse/PSBM-48698
Signed-off-by: Vladimir Davydov <vdavy...@virtuozzo.com>
Rebased to RHEL8 beta kernel:
Signed-off-by: Konstantin Khorenko <khore...@virtuozzo.com>
https://jira.sw.ru/browse/PSBM-133986
(cherry picked from commit d2fc3d088444fff6c12b27b3754de2ace1ffaff2)
Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalit...@virtuozzo.com>
---
net/ipv4/ip_vti.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c
index eb560eecee08..f9642e4ebda3 100644
--- a/net/ipv4/ip_vti.c
+++ b/net/ipv4/ip_vti.c
@@ -39,6 +39,8 @@
#include <net/net_namespace.h>
#include <net/netns/generic.h>
+#include <linux/ve.h>
+
static struct rtnl_link_ops vti_link_ops __read_mostly;
static unsigned int vti_net_id __read_mostly;
@@ -52,6 +54,9 @@ static int vti_input(struct sk_buff *skb, int nexthdr, __be32
spi,
struct net *net = dev_net(skb->dev);
struct ip_tunnel_net *itn = net_generic(net, vti_net_id);
+ if (itn == NULL)
+ return -EINVAL;
+
tunnel = ip_tunnel_lookup(itn, skb->dev->ifindex, TUNNEL_NO_KEY,
iph->saddr, iph->daddr, 0);
if (tunnel) {
@@ -323,6 +328,9 @@ static int vti4_err(struct sk_buff *skb, u32 info)
int protocol = iph->protocol;
struct ip_tunnel_net *itn = net_generic(net, vti_net_id);
+ if (itn == NULL)
+ return -1;
+
tunnel = ip_tunnel_lookup(itn, skb->dev->ifindex, TUNNEL_NO_KEY,
iph->daddr, iph->saddr, 0);
if (!tunnel)
@@ -501,6 +509,11 @@ static int __net_init vti_init_net(struct net *net)
int err;
struct ip_tunnel_net *itn;
+ if (!ve_is_super(net->owner_ve)) {
+ net_generic_free(net, vti_net_id);
+ return 0;
+ }
+
err = ip_tunnel_init_net(net, vti_net_id, &vti_link_ops, "ip_vti0");
if (err)
return err;
@@ -567,6 +580,9 @@ static int vti_newlink(struct net *src_net, struct
net_device *dev,
struct ip_tunnel_parm parms;
__u32 fwmark = 0;
+ if (net_generic(dev_net(dev), vti_net_id) == NULL)
+ return -EACCES;
+
vti_netlink_parms(data, &parms, &fwmark);
return ip_tunnel_newlink(dev, tb, &parms, fwmark);
}
_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel
