[Devel] [PATCH RHEL7 COMMIT] ve/net: Add ipt_mask checks into ip6table_nat
Konstantin Khorenko
khorenko at virtuozzo.com
Thu Jul 16 06:30:33 PDT 2015
The commit is pushed to "branch-rh7-3.10.0-123.1.2-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-123.1.2.vz7.5.25
------>
commit 87b2412d7512a1dd5d3a0d8c4c040aa055fc8103
Author: Kirill Tkhai <ktkhai at odin.com>
Date: Thu Jul 16 17:30:33 2015 +0400
ve/net: Add ipt_mask checks into ip6table_nat
Register pernet table only if it's allowed.
https://jira.sw.ru/browse/PSBM-34748
khorenko@: this is required in order nf_conntrack module
"ip_conntrack_disable_ve0" option to handle both
ipv4 and ipv6 nat cases.
Signed-off-by: Kirill Tkhai <ktkhai at odin.com>
Acked-by: Andrew Vagin <avagin at odin.com>
---
net/ipv6/netfilter/ip6table_nat.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/net/ipv6/netfilter/ip6table_nat.c b/net/ipv6/netfilter/ip6table_nat.c
index 1be22b9..e50a640 100644
--- a/net/ipv6/netfilter/ip6table_nat.c
+++ b/net/ipv6/netfilter/ip6table_nat.c
@@ -289,6 +289,10 @@ static int __net_init ip6table_nat_net_init(struct net *net)
{
struct ip6t_replace *repl;
+ if (!net_ipt_permitted(net, VE_IP_IPTABLE_NAT) ||
+ !net_ipt_permitted(net, VE_IP_IPTABLES6))
+ return 0;
+
repl = ip6t_alloc_initial_table(&nf_nat_ipv6_table);
if (repl == NULL)
return -ENOMEM;
@@ -299,7 +303,11 @@ static int __net_init ip6table_nat_net_init(struct net *net)
static void __net_exit ip6table_nat_net_exit(struct net *net)
{
+ if (!net->ipv6.ip6table_nat)
+ return;
+
ip6t_unregister_table(net, net->ipv6.ip6table_nat);
+ net->ipv6.ip6table_nat = NULL;
}
static struct pernet_operations ip6table_nat_net_ops = {
More information about the Devel
mailing list