On Thu, Sep 15, 2016 at 06:35:42PM +0300, Kirill Tkhai wrote:
> Since synproxy conntrack allow_conntrack_allocation() is executed
> from pernet init, loading nf_synproxy_core() module allows conntracks
> for all nets.
>
> Fix that by direct allocation of synproxy sample conntrack (and do not
> allow conntracks from pernet init).
>
> https://jira.sw.ru/browse/PSBM-52218
>
Acked-by: Andrei Vagin <ava...@virtuozzo.com>
> Signed-off-by: Kirill Tkhai <ktk...@virtuozzo.com>
> ---
> include/net/netfilter/nf_conntrack.h | 5 +++++
> net/netfilter/nf_conntrack_core.c | 11 ++++++-----
> net/netfilter/nf_synproxy_core.c | 3 +--
> 3 files changed, 12 insertions(+), 7 deletions(-)
>
> diff --git a/include/net/netfilter/nf_conntrack.h
> b/include/net/netfilter/nf_conntrack.h
> index b0da003..fefe866 100644
> --- a/include/net/netfilter/nf_conntrack.h
> +++ b/include/net/netfilter/nf_conntrack.h
> @@ -253,6 +253,11 @@ struct nf_conn *nf_conntrack_alloc(struct net *net, u16
> zone,
> const struct nf_conntrack_tuple *orig,
> const struct nf_conntrack_tuple *repl,
> gfp_t gfp);
> +struct nf_conn *
> +__nf_conntrack_alloc(struct net *net, u16 zone,
> + const struct nf_conntrack_tuple *orig,
> + const struct nf_conntrack_tuple *repl,
> + gfp_t gfp, u32 hash, bool can_alloc);
>
> static inline int nf_ct_is_template(const struct nf_conn *ct)
> {
> diff --git a/net/netfilter/nf_conntrack_core.c
> b/net/netfilter/nf_conntrack_core.c
> index 15e8479..d46c905 100644
> --- a/net/netfilter/nf_conntrack_core.c
> +++ b/net/netfilter/nf_conntrack_core.c
> @@ -832,16 +832,16 @@ void init_nf_conntrack_hash_rnd(void)
> cmpxchg(&nf_conntrack_hash_rnd, 0, rand);
> }
>
> -static struct nf_conn *
> +struct nf_conn *
> __nf_conntrack_alloc(struct net *net, u16 zone,
> const struct nf_conntrack_tuple *orig,
> const struct nf_conntrack_tuple *repl,
> - gfp_t gfp, u32 hash)
> + gfp_t gfp, u32 hash, bool can_alloc)
> {
> unsigned int ct_max = net->ct.max ? net->ct.max : init_net.ct.max;
> struct nf_conn *ct;
>
> - if (!net->ct.can_alloc) {
> + if (!net->ct.can_alloc && !can_alloc) {
> /* No rules loaded */
> return NULL;
> }
> @@ -915,13 +915,14 @@ __nf_conntrack_alloc(struct net *net, u16 zone,
> return ERR_PTR(-ENOMEM);
> #endif
> }
> +EXPORT_SYMBOL_GPL(__nf_conntrack_alloc);
>
> struct nf_conn *nf_conntrack_alloc(struct net *net, u16 zone,
> const struct nf_conntrack_tuple *orig,
> const struct nf_conntrack_tuple *repl,
> gfp_t gfp)
> {
> - return __nf_conntrack_alloc(net, zone, orig, repl, gfp, 0);
> + return __nf_conntrack_alloc(net, zone, orig, repl, gfp, 0, false);
> }
> EXPORT_SYMBOL_GPL(nf_conntrack_alloc);
>
> @@ -968,7 +969,7 @@ init_conntrack(struct net *net, struct nf_conn *tmpl,
> }
>
> ct = __nf_conntrack_alloc(net, zone, tuple, &repl_tuple, GFP_ATOMIC,
> - hash);
> + hash, false);
> if (IS_ERR_OR_NULL(ct))
> return (struct nf_conntrack_tuple_hash *)ct;
>
> diff --git a/net/netfilter/nf_synproxy_core.c
> b/net/netfilter/nf_synproxy_core.c
> index 779e5a6..3184505 100644
> --- a/net/netfilter/nf_synproxy_core.c
> +++ b/net/netfilter/nf_synproxy_core.c
> @@ -353,8 +353,7 @@ static int __net_init synproxy_net_init(struct net *net)
> int err = -ENOMEM;
>
> memset(&t, 0, sizeof(t));
> - allow_conntrack_allocation(net);
> - ct = nf_conntrack_alloc(net, 0, &t, &t, GFP_KERNEL);
> + ct = __nf_conntrack_alloc(net, 0, &t, &t, GFP_KERNEL, 0, true);
> if (IS_ERR(ct)) {
> err = PTR_ERR(ct);
> goto err1;
>
_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel
