[Devel] [PATCH 08/14] netfilter: Add permittion check in iptable_raw pernet
Kirill Tkhai
ktkhai at odin.com
Mon Jun 8 07:21:43 PDT 2015
Porting patch diff-ve-netfilter-add-permittion-check-in-iptable_raw-pernet-operations
from 2.6.32:
iptable_raw's default match and target needs in VE_IP_IPTABLES
permittions. If it's not allowed, than pernet init fails.
Add check for the permittion and skip iptable_raw registration,
if VE_IP_IPTABLES is not allowed.
https://jira.sw.ru/browse/PSBM-27181
Signed-off-by: Kirill Tkhai <ktkhai at parallels.com>
---
net/ipv4/netfilter/iptable_raw.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c
index 44b8fc1..6627256 100644
--- a/net/ipv4/netfilter/iptable_raw.c
+++ b/net/ipv4/netfilter/iptable_raw.c
@@ -42,18 +42,29 @@ static int __net_init iptable_raw_net_init(struct net *net)
{
struct ipt_replace *repl;
+ if (!net_ipt_permitted(net, VE_IP_IPTABLES))
+ return 0;
+
repl = ipt_alloc_initial_table(&packet_raw);
if (repl == NULL)
return -ENOMEM;
net->ipv4.iptable_raw =
ipt_register_table(net, &packet_raw, repl);
kfree(repl);
+
+ net_ipt_module_set(net, VE_IP_IPTABLES);
+
return PTR_RET(net->ipv4.iptable_raw);
}
static void __net_exit iptable_raw_net_exit(struct net *net)
{
+ if (!net_is_ipt_module_set(net, VE_IP_IPTABLES))
+ return;
+
ipt_unregister_table(net, net->ipv4.iptable_raw);
+
+ net_ipt_module_clear(net, VE_IP_IPTABLES);
}
static struct pernet_operations iptable_raw_net_ops = {
More information about the Devel
mailing list