[Devel] [PATCH 05/14] Subject: netfilter: MARK -- drop off @table entity to support rhel5 containers, v2
Kirill Tkhai
ktkhai at odin.com
Mon Jun 8 07:20:49 PDT 2015
Porting patch diff-ve-netfilter-MARK-drop-off-table-entity-to-support-rhel5-containers-v2:
rhel5 based containers use old iptables (1.3.5 series) which uses
@revision = 1 when setting up MARK rule
| CT-121-bash-3.2# iptables -A OUTPUT -d 192.168.55.87 -j MARK --set-mark 2000
| iptables: Unknown error 18446744073709551615
The kernel in turn returns -EINVAL, which comes from a callchain
do_ipt_set_ctl
do_replace
translate_table
find_check_entry
check_target
xt_check_target
if (par->target->table != NULL &&
strcmp(par->target->table, par->table) != 0) {
pr_err("%s_tables: %s target: only valid in %s table, not %s\n",
xt_prefix[par->family], par->target->name,
par->target->table, par->table);
return -EINVAL;
}
here if @revision = 1 is used the @mark_tg_reg has @table = "mangle",
while by default the iptables 1.3.5 passes "filter" inside arguments
into the kernel, which in turn cause mismatch here.
Strictly speaking I don't really understand where this @table = mangle
came from, the vanilla kernel doesn't have it at all (even when was
supporting @revision = 1, new vanilla kernels operate with @revision = 2
only).
Neither I see any other potential side effect of dropping off the
@table limitation here.
| vvs@:
| .table = mangle was set in in @revision = 0 and @revision = 1 versions of xt_MARK targets
| These versions was removed from mainline kernel between 2.6.18 and 2.6.32:
| c8001f7fd5a4684280fddceed9fae9ea2e4fb521 netfilter: xtables: remove xt_MARK v0, v1
|
| But we returned them back during our rebase to RHEL6 kernels.
| It was required to allow old iptables binaries work on new kernels.
|
| As far as I understand old iptables should not allow using MARK target in filter table,
| but it worked de-facto because missing table check in xt_check_target in old kernels.
|
| Theoretically current behaviour is correct, we correctly prevent using of wrong iptable rule.
| But practically we want to keep old incorrect behaviour on new kernels,
| and therefore I vote to remove .table = "mangle" both from @revision = 0 and from @revision = 1
| versions of xt_MARK targets.
v2:
- drop limitation from revision 0 as well
https://jira.sw.ru/browse/PSBM-30390
Signed-off-by: Cyrill Gorcunov <gorcunov at openvz.org>
Reviewed-by: Vasily Averin <vvs at parallels.com>
CC: Andrey Vagin <avagin at parallels.com>
Signed-off-by: Kirill Tkhai <ktkhai at odin.com>
---
net/netfilter/xt_mark.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/xt_mark.c b/net/netfilter/xt_mark.c
index db7fbfc..09ef00f 100644
--- a/net/netfilter/xt_mark.c
+++ b/net/netfilter/xt_mark.c
@@ -175,7 +175,14 @@ static struct xt_target mark_tg_reg[] __read_mostly = {
.compat_from_user = mark_tg_compat_from_user_v0,
.compat_to_user = mark_tg_compat_to_user_v0,
#endif
- .table = "mangle",
+ /*
+ * To support rhel5 containers which use iptables 1.3.5
+ * series (which in turn exploit @revision = 1) we're
+ * dropping off @table here so kernel won't complain
+ * if one setting up MARK rule in a fashion of iptables 1.4.2
+ * series (which exploit @revision = 2).
+ */
+ /* .table = "mangle", */
.me = THIS_MODULE,
},
{
@@ -190,7 +197,14 @@ static struct xt_target mark_tg_reg[] __read_mostly = {
.compat_from_user = mark_tg_compat_from_user_v1,
.compat_to_user = mark_tg_compat_to_user_v1,
#endif
- .table = "mangle",
+ /*
+ * To support rhel5 containers which use iptables 1.3.5
+ * series (which in turn exploit @revision = 1) we're
+ * dropping off @table here so kernel won't complain
+ * if one setting up MARK rule in a fashion of iptables 1.4.2
+ * series (which exploit @revision = 2).
+ */
+ /* .table = "mangle", */
.me = THIS_MODULE,
},
{
More information about the Devel
mailing list