The commit is pushed to "branch-rh9-5.14.vz9.1.x-ovz" and will appear at
https://src.openvz.org/scm/ovz/vzkernel.git
after ark-5.14
------>
commit 1bc85277bc44cb24cff8392d5fb0ca7e8168978d
Author: Pavel Tikhomirov <ptikhomi...@virtuozzo.com>
Date: Thu Sep 30 17:43:58 2021 +0300
fence-watchdog: Add xt_wdog_tmo netfilter match
fix wdog_tmo_mt and wdog_tmo_mt_check to match prototypes
Author: Dmitry Guryanov
Email: dgurya...@parallels.com
Subject: watchdog: add wdog_tmo match
Date: Fri, 8 Nov 2013 22:38:09 +0400
Add wdog_tmo netfilter match, which returns true if out watchdog
timeout exceed.
You have to set watchdog action to 'netfilter', so that host won't
reboot or halt.
Fix for:
https://jira.sw.ru/browse/PSBM-23253
Dmitry Guryanov (2):
watchdog: add netfilter action
watchdog: add wdog_tmo match
This patch description:
Add wdog_tmo match, which could be used to forbid network
traffic in case of watchdog timeout.
This match doesn't have any parameters, example of usage:
iptables -A OUTPUT -m wdog_tmo -j DROP
You have to add support of this match to userspace iptables part.
Signed-off-by: Dmitry Guryanov <dgurya...@parallels.com>
Signed-off-by: Pavel Tikhomirov <ptikhomi...@virtuozzo.com>
Acked-by: Andrew Vagin <ava...@virtuozzo.com>
(cherry-picked from vz8 commit b97a20406a8f ("fence-watchdog: Add
xt_wdog_tmo netfilter match"))
Added "CONFIG_NETFILTER_XT_MATCH_WDOG_TMO=m" to
redhat/configs/custom-overrides/generic/CONFIG_NETFILTER_XT_MATCH_WDOG_TMO
Signed-off-by: Nikita Yushchenko <nikita.yushche...@virtuozzo.com>
---
net/netfilter/Kconfig | 6 +++
net/netfilter/Makefile | 1 +
net/netfilter/xt_wdog_tmo.c | 56 ++++++++++++++++++++++
.../generic/CONFIG_NETFILTER_XT_MATCH_WDOG_TMO | 1 +
4 files changed, 64 insertions(+)
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 54395266339d..39c47979b515 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -1645,6 +1645,12 @@ config NETFILTER_XT_MATCH_U32
Details and examples are in the kernel module source.
+config NETFILTER_XT_MATCH_WDOG_TMO
+ tristate '"wdog_tmo" watchdog timer match'
+ depends on NETFILTER_ADVANCED && NETFILTER_NETLINK && FENCE_WATCHDOG
+ help
+ This option selects the watchdog timer match module.
+
endif # NETFILTER_XTABLES
endmenu
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 049890e00a3d..2d93db999518 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -206,6 +206,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_STRING) += xt_string.o
obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o
obj-$(CONFIG_NETFILTER_XT_MATCH_TIME) += xt_time.o
obj-$(CONFIG_NETFILTER_XT_MATCH_U32) += xt_u32.o
+obj-$(CONFIG_NETFILTER_XT_MATCH_WDOG_TMO) += xt_wdog_tmo.o
# ipset
obj-$(CONFIG_IP_SET) += ipset/
diff --git a/net/netfilter/xt_wdog_tmo.c b/net/netfilter/xt_wdog_tmo.c
new file mode 100644
index 000000000000..80047ad71405
--- /dev/null
+++ b/net/netfilter/xt_wdog_tmo.c
@@ -0,0 +1,56 @@
+/*
+ * net/netfilter/xt_wdog_tmo.c
+ *
+ * Copyright (c) 2013-2015 Parallels IP Holdings GmbH
+ * Copyright (c) 2017-2021 Virtuozzo International GmbH. All rights reserved.
+ *
+ */
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/file.h>
+#include <net/sock.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/fence-watchdog.h>
+
+static bool
+wdog_tmo_mt(const struct sk_buff *skb, struct xt_action_param *par)
+{
+ return fence_wdog_tmo_match();
+}
+
+int wdog_tmo_mt_check(const struct xt_mtchk_param *par)
+{
+
+ if (!ve_is_super(get_exec_env()))
+ return -EPERM;
+ return 0;
+}
+
+static struct xt_match wdog_tmo_mt_reg __read_mostly = {
+ .name = "wdog_tmo",
+ .revision = 0,
+ .family = NFPROTO_UNSPEC,
+ .match = wdog_tmo_mt,
+ .checkentry = wdog_tmo_mt_check,
+ .matchsize = 0,
+ .me = THIS_MODULE,
+};
+
+static int __init wdog_tmo_mt_init(void)
+{
+ return xt_register_match(&wdog_tmo_mt_reg);
+}
+
+static void __exit wdog_tmo_mt_exit(void)
+{
+ xt_unregister_match(&wdog_tmo_mt_reg);
+}
+
+module_init(wdog_tmo_mt_init);
+module_exit(wdog_tmo_mt_exit);
+MODULE_AUTHOR("Dmitry Guryanov <dgurya...@virtuozzo.com>");
+MODULE_DESCRIPTION("Xtables: fence watchdog timeout matching");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_wdog_tmo");
+MODULE_ALIAS("ip6t_wdog_tmo");
diff --git
a/redhat/configs/custom-overrides/generic/CONFIG_NETFILTER_XT_MATCH_WDOG_TMO
b/redhat/configs/custom-overrides/generic/CONFIG_NETFILTER_XT_MATCH_WDOG_TMO
new file mode 100644
index 000000000000..390db568ebdb
--- /dev/null
+++ b/redhat/configs/custom-overrides/generic/CONFIG_NETFILTER_XT_MATCH_WDOG_TMO
@@ -0,0 +1 @@
+CONFIG_NETFILTER_XT_MATCH_WDOG_TMO=m
_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel
