[Devel] [PATCH RHEL7 COMMIT] ve/veth: add ability to prevent changing of a mac address from a container
Konstantin Khorenko
khorenko at virtuozzo.com
Mon Jun 8 09:28:50 PDT 2015
The commit is pushed to "branch-rh7-3.10.0-123.1.2-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-123.1.2.vz7.5.11
------>
commit 475a37a26d37ac68d274bc6d7bd3b43ea4a90da8
Author: Andrew Vagin <avagin at openvz.org>
Date: Mon Jun 8 20:28:50 2015 +0400
ve/veth: add ability to prevent changing of a mac address from a container
Add the SIOCSFIXEDADDR ioctl.
If we want to forbid changing a mac address of a veth devices,
we need to call this ioctl and set ifr_ifru.ifru_flags to 1.
And we need to set ifr_ifru.ifru_flags to 0 to allow changing mac address.
This ioctl is protected by CAP_NET_ADMIN.
See commit d6d2385a872895a5ebc325ef745533d6b561eb5c for detailed
feature description.
https://jira.sw.ru/browse/PSBM-32276
Signed-off-by: Andrew Vagin <avagin at openvz.org>
Reviewed-by: Kirill Tkhai <ktkhai at odin.com>
---
drivers/net/veth.c | 17 ++++++++++++++++-
include/linux/netdev_features.h | 2 ++
include/uapi/linux/veth.h | 1 +
3 files changed, 19 insertions(+), 1 deletion(-)
diff --git a/drivers/net/veth.c b/drivers/net/veth.c
index 7f64043..da62cbf 100644
--- a/drivers/net/veth.c
+++ b/drivers/net/veth.c
@@ -244,6 +244,14 @@ static void veth_dev_free(struct net_device *dev)
free_netdev(dev);
}
+static int veth_mac_addr(struct net_device *dev, void *p)
+{
+ if (dev->features & NETIF_F_VENET &&
+ dev->features & NETIF_F_FIXED_ADDR)
+ return -EPERM;
+ return eth_mac_addr(dev, p);
+}
+
static int vzethdev_net_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
{
if (!capable(CAP_NET_ADMIN))
@@ -264,6 +272,13 @@ static int vzethdev_net_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd
return 0;
}
+ case SIOCSFIXEDADDR:
+ if (ifr->ifr_ifru.ifru_flags)
+ dev->features |= NETIF_F_FIXED_ADDR;
+ else
+ dev->features &= ~NETIF_F_FIXED_ADDR;
+ return 0;
+ }
return -ENOTTY;
}
@@ -274,7 +289,7 @@ static const struct net_device_ops veth_netdev_ops = {
.ndo_start_xmit = veth_xmit,
.ndo_change_mtu = veth_change_mtu,
.ndo_get_stats64 = veth_get_stats64,
- .ndo_set_mac_address = eth_mac_addr,
+ .ndo_set_mac_address = veth_mac_addr,
.ndo_do_ioctl = vzethdev_net_ioctl,
};
diff --git a/include/linux/netdev_features.h b/include/linux/netdev_features.h
index 2d72a7a..5c2e191 100644
--- a/include/linux/netdev_features.h
+++ b/include/linux/netdev_features.h
@@ -64,6 +64,7 @@ enum {
NETIF_F_HW_VLAN_STAG_FILTER_BIT,/* Receive filtering on VLAN STAGs */
NETIF_F_VENET_BIT, /* device is venet device */
NETIF_F_VIRTUAL_BIT, /* can be registered inside VE */
+ NETIF_F_FIXED_ADDR_BIT,
/*
* Add your fresh new feature above and remember to update
@@ -120,6 +121,7 @@ enum {
#define NETIF_F_HW_VLAN_STAG_TX __NETIF_F(HW_VLAN_STAG_TX)
#define NETIF_F_VENET __NETIF_F(VENET)
#define NETIF_F_VIRTUAL __NETIF_F(VIRTUAL)
+#define NETIF_F_FIXED_ADDR __NETIF_F(FIXED_ADDR)
/* Features valid for ethtool to change */
/* = all defined minus driver/device-class-related */
diff --git a/include/uapi/linux/veth.h b/include/uapi/linux/veth.h
index 27e7795..b331a38 100644
--- a/include/uapi/linux/veth.h
+++ b/include/uapi/linux/veth.h
@@ -19,5 +19,6 @@ enum {
};
#define SIOCSVENET (SIOCDEVPRIVATE + 0xf)
+#define SIOCSFIXEDADDR (SIOCDEVPRIVATE + 0xe)
#endif
More information about the Devel
mailing list