[Devel] [PATCH 12/14] ipset: prohibit ipset from the inside CT
Kirill Tkhai
ktkhai at odin.com
Mon Jun 8 09:23:47 PDT 2015
В Пн, 08/06/2015 в 19:07 +0300, Andrew Vagin пишет:
> On Mon, Jun 08, 2015 at 05:22:25PM +0300, Kirill Tkhai wrote:
> > Port diff-ve-netfilter-ipset-prohibit-ipset-from-the-inside-CT from 2.6.32:
> >
> > Currently a CT owner can configure ipset rules which are not virtualized =>
> > affect the whole Hardware Node.
> >
> > We are going to virtualize ipset in PCS7 (3.10-x, PSBM-27793),
> > let's prohibit ipset configuration from inside a CT while it's not done.
> >
> > https://jira.sw.ru/browse/PSBM-27792
> > https://bugzilla.openvz.org/show_bug.cgi?id=2644
> >
> > Signed-off-by: Kirill Tkhai <ktkhai at parallels.com>
> > ---
> > net/netfilter/nfnetlink.c | 4 +++-
> > 1 file changed, 3 insertions(+), 1 deletion(-)
> >
> > diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
> > index e17ad78..07e040f 100644
> > --- a/net/netfilter/nfnetlink.c
> > +++ b/net/netfilter/nfnetlink.c
> > @@ -367,7 +367,9 @@ static void nfnetlink_rcv(struct sk_buff *skb)
> > skb->len < nlh->nlmsg_len)
> > return;
> >
> > - if (!ns_capable(net->user_ns, CAP_VE_NET_ADMIN)) {
> > + if (!ns_capable(net->user_ns, CAP_VE_NET_ADMIN) ||
> > + (!ns_capable(net->user_ns, CAP_VE_NET_ADMIN) &&
> > + NFNL_SUBSYS_ID(nlh->nlmsg_type) == NFNL_SUBSYS_IPSET)) {
>
> The second expression is a subset of the first one
> > netlink_ack(skb, nlh, -EPERM);
> > return;
> > }
Sure, thanks, Andrew. Let's the below patch goes instead:
Author: Kirill Tkhai <ktkhai at odin.com>
Date: Wed Jun 3 17:38:16 2015 +0300
ipset: prohibit ipset from the inside CT
Port diff-ve-netfilter-ipset-prohibit-ipset-from-the-inside-CT from 2.6.32:
Currently a CT owner can configure ipset rules which are not virtualized =>
affect the whole Hardware Node.
We are going to virtualize ipset in PCS7 (3.10-x, PSBM-27793),
let's prohibit ipset configuration from inside a CT while it's not done.
https://jira.sw.ru/browse/PSBM-27792
https://bugzilla.openvz.org/show_bug.cgi?id=2644
Signed-off-by: Kirill Tkhai <ktkhai at parallels.com>
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index e17ad78..b8f00e6 100644
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
@@ -367,7 +367,9 @@ static void nfnetlink_rcv(struct sk_buff *skb)
skb->len < nlh->nlmsg_len)
return;
- if (!ns_capable(net->user_ns, CAP_VE_NET_ADMIN)) {
+ if (!ns_capable(net->user_ns, CAP_VE_NET_ADMIN) ||
+ (net->owner_ve != get_ve0() &&
+ NFNL_SUBSYS_ID(nlh->nlmsg_type) == NFNL_SUBSYS_IPSET)) {
netlink_ack(skb, nlh, -EPERM);
return;
}
More information about the Devel
mailing list