[Devel] [PATCH 12/14] ipset: prohibit ipset from the inside CT

Andrew Vagin avagin at odin.com
Mon Jun 8 09:07:09 PDT 2015


On Mon, Jun 08, 2015 at 05:22:25PM +0300, Kirill Tkhai wrote:
> Port diff-ve-netfilter-ipset-prohibit-ipset-from-the-inside-CT from 2.6.32:
> 
> Currently a CT owner can configure ipset rules which are not virtualized =>
> affect the whole Hardware Node.
> 
> We are going to virtualize ipset in PCS7 (3.10-x, PSBM-27793),
> let's prohibit ipset configuration from inside a CT while it's not done.
> 
> https://jira.sw.ru/browse/PSBM-27792
> https://bugzilla.openvz.org/show_bug.cgi?id=2644
> 
> Signed-off-by: Kirill Tkhai <ktkhai at parallels.com>
> ---
>  net/netfilter/nfnetlink.c |    4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
> index e17ad78..07e040f 100644
> --- a/net/netfilter/nfnetlink.c
> +++ b/net/netfilter/nfnetlink.c
> @@ -367,7 +367,9 @@ static void nfnetlink_rcv(struct sk_buff *skb)
>  	    skb->len < nlh->nlmsg_len)
>  		return;
>  
> -	if (!ns_capable(net->user_ns, CAP_VE_NET_ADMIN)) {
> +	if (!ns_capable(net->user_ns, CAP_VE_NET_ADMIN) ||
> +	    (!ns_capable(net->user_ns, CAP_VE_NET_ADMIN) &&
> +	     NFNL_SUBSYS_ID(nlh->nlmsg_type) == NFNL_SUBSYS_IPSET)) {

The second expression is a subset of the first one
>  		netlink_ack(skb, nlh, -EPERM);
>  		return;
>  	}
> 
> _______________________________________________
> Devel mailing list
> Devel at openvz.org
> https://lists.openvz.org/mailman/listinfo/devel



More information about the Devel mailing list