[Devel] [PATCH 05/14] Subject: netfilter: MARK -- drop off @table entity to support rhel5 containers, v2

Kirill Tkhai ktkhai at odin.com
Mon Jun 8 07:20:49 PDT 2015


Porting patch diff-ve-netfilter-MARK-drop-off-table-entity-to-support-rhel5-containers-v2:

rhel5 based containers use old iptables (1.3.5 series) which uses
@revision = 1 when setting up MARK rule

 | CT-121-bash-3.2# iptables -A OUTPUT -d 192.168.55.87 -j MARK --set-mark 2000
 | iptables: Unknown error 18446744073709551615

The kernel in turn returns -EINVAL, which comes from a callchain

do_ipt_set_ctl
 do_replace
  translate_table
   find_check_entry
    check_target
     xt_check_target

      	if (par->target->table != NULL &&
	    strcmp(par->target->table, par->table) != 0) {
		pr_err("%s_tables: %s target: only valid in %s table, not %s\n",
		       xt_prefix[par->family], par->target->name,
		       par->target->table, par->table);
		return -EINVAL;
	}

here if @revision = 1 is used the @mark_tg_reg has @table = "mangle",
while by default the iptables 1.3.5 passes "filter" inside arguments
into the kernel, which in turn cause mismatch here.

Strictly speaking I don't really understand where this @table = mangle
came from, the vanilla kernel doesn't have it at all (even when was
supporting @revision = 1, new vanilla kernels operate with @revision = 2
only).

Neither I see any other potential side effect of dropping off the
@table limitation here.

 | vvs@:
 | .table = mangle was set in in @revision = 0 and @revision = 1 versions of xt_MARK targets
 | These versions was removed from mainline kernel between 2.6.18 and 2.6.32:
 | c8001f7fd5a4684280fddceed9fae9ea2e4fb521 netfilter: xtables: remove xt_MARK v0, v1
 |
 | But we returned them back during our rebase to RHEL6 kernels.
 | It was required to allow old iptables binaries work on new kernels.
 |
 | As far as I understand old iptables should not allow using MARK target in filter table,
 | but it worked de-facto because missing table check in xt_check_target in old kernels.
 |
 | Theoretically current behaviour is correct, we correctly prevent using of wrong iptable rule.
 | But practically we want to keep old incorrect behaviour on new kernels,
 | and therefore I vote to remove .table = "mangle" both from @revision = 0 and from @revision = 1
 | versions of xt_MARK targets.

v2:
 - drop limitation from revision 0 as well

https://jira.sw.ru/browse/PSBM-30390

Signed-off-by: Cyrill Gorcunov <gorcunov at openvz.org>
Reviewed-by: Vasily Averin <vvs at parallels.com>
CC: Andrey Vagin <avagin at parallels.com>
Signed-off-by: Kirill Tkhai <ktkhai at odin.com>
---
 net/netfilter/xt_mark.c |   18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/xt_mark.c b/net/netfilter/xt_mark.c
index db7fbfc..09ef00f 100644
--- a/net/netfilter/xt_mark.c
+++ b/net/netfilter/xt_mark.c
@@ -175,7 +175,14 @@ static struct xt_target mark_tg_reg[] __read_mostly = {
 		.compat_from_user = mark_tg_compat_from_user_v0,
 		.compat_to_user	= mark_tg_compat_to_user_v0,
 #endif
-		.table		= "mangle",
+		/*
+		 * To support rhel5 containers which use iptables 1.3.5
+		 * series (which in turn exploit @revision = 1) we're
+		 * dropping off @table here so kernel won't complain
+		 * if one setting up MARK rule in a fashion of iptables 1.4.2
+		 * series (which exploit @revision = 2).
+		 */
+		/* .table		= "mangle", */
 		.me		= THIS_MODULE,
 	},
 	{
@@ -190,7 +197,14 @@ static struct xt_target mark_tg_reg[] __read_mostly = {
 		.compat_from_user = mark_tg_compat_from_user_v1,
 		.compat_to_user	= mark_tg_compat_to_user_v1,
 #endif
-		.table		= "mangle",
+		/*
+		 * To support rhel5 containers which use iptables 1.3.5
+		 * series (which in turn exploit @revision = 1) we're
+		 * dropping off @table here so kernel won't complain
+		 * if one setting up MARK rule in a fashion of iptables 1.4.2
+		 * series (which exploit @revision = 2).
+		 */
+		/* .table		= "mangle", */
 		.me		= THIS_MODULE,
 	},
 	{




More information about the Devel mailing list