[Devel] [PATCH 12/14] ipset: prohibit ipset from the inside CT
Andrew Vagin
avagin at odin.com
Mon Jun 8 09:07:09 PDT 2015
On Mon, Jun 08, 2015 at 05:22:25PM +0300, Kirill Tkhai wrote:
> Port diff-ve-netfilter-ipset-prohibit-ipset-from-the-inside-CT from 2.6.32:
>
> Currently a CT owner can configure ipset rules which are not virtualized =>
> affect the whole Hardware Node.
>
> We are going to virtualize ipset in PCS7 (3.10-x, PSBM-27793),
> let's prohibit ipset configuration from inside a CT while it's not done.
>
> https://jira.sw.ru/browse/PSBM-27792
> https://bugzilla.openvz.org/show_bug.cgi?id=2644
>
> Signed-off-by: Kirill Tkhai <ktkhai at parallels.com>
> ---
> net/netfilter/nfnetlink.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
> index e17ad78..07e040f 100644
> --- a/net/netfilter/nfnetlink.c
> +++ b/net/netfilter/nfnetlink.c
> @@ -367,7 +367,9 @@ static void nfnetlink_rcv(struct sk_buff *skb)
> skb->len < nlh->nlmsg_len)
> return;
>
> - if (!ns_capable(net->user_ns, CAP_VE_NET_ADMIN)) {
> + if (!ns_capable(net->user_ns, CAP_VE_NET_ADMIN) ||
> + (!ns_capable(net->user_ns, CAP_VE_NET_ADMIN) &&
> + NFNL_SUBSYS_ID(nlh->nlmsg_type) == NFNL_SUBSYS_IPSET)) {
The second expression is a subset of the first one
> netlink_ack(skb, nlh, -EPERM);
> return;
> }
>
> _______________________________________________
> Devel mailing list
> Devel at openvz.org
> https://lists.openvz.org/mailman/listinfo/devel
More information about the Devel
mailing list