[Devel] [PATCH RHEL7 COMMIT] ve/veth: filter packages accoding with mac addresses

Konstantin Khorenko khorenko at virtuozzo.com
Mon Jun 8 09:28:57 PDT 2015 

The commit is pushed to "branch-rh7-3.10.0-123.1.2-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-123.1.2.vz7.5.11
------>
commit 69a0d2fdb4efda3f33d7149079b9408480527205
Author: Andrew Vagin <avagin at openvz.org>
Date:   Mon Jun 8 20:28:57 2015 +0400

    ve/veth: filter packages accoding with mac addresses
    
    Only if the NETIF_F_VENET flag is set.
    
    A containers doesn't get and send packages with an mac address
    which doesn't belong to it.
    
    See commit d6d2385a872895a5ebc325ef745533d6b561eb5c for detailed
    feature description.
    
    https://jira.sw.ru/browse/PSBM-32276
    
    Signed-off-by: Andrew Vagin <avagin at openvz.org>
    Reviewed-by: Kirill Tkhai <ktkhai at odin.com>
---
 drivers/net/veth.c | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/drivers/net/veth.c b/drivers/net/veth.c
index da62cbf..1d85174 100644
--- a/drivers/net/veth.c
+++ b/drivers/net/veth.c
@@ -19,6 +19,7 @@
 #include <net/xfrm.h>
 #include <linux/veth.h>
 #include <linux/module.h>
+#include "../../net/bridge/br_private.h"
 
 #define DRV_NAME	"veth"
 #define DRV_VERSION	"1.0"
@@ -105,6 +106,31 @@ static const struct ethtool_ops veth_ethtool_ops = {
 	.get_ethtool_stats	= veth_get_ethtool_stats,
 };
 
+static int vzethdev_filter(struct sk_buff *skb, struct net_device *dev, struct net_device *rcv)
+{
+	/* Filtering */
+	if (ve_is_super(dev_net(dev)->owner_ve) &&
+	    dev->features & NETIF_F_FIXED_ADDR) {
+		/* from VE0 to VEX */
+		if (ve_is_super(dev_net(rcv)->owner_ve))
+			return 1;
+		if (is_multicast_ether_addr(
+					((struct ethhdr *)skb->data)->h_dest))
+			return 1;
+		if (!br_port_get_rcu(rcv) &&
+			compare_ether_addr(((struct ethhdr *)skb->data)->h_dest, rcv->dev_addr))
+				return 0;
+	} else if (!ve_is_super(dev_net(dev)->owner_ve) &&
+		   dev->features & NETIF_F_FIXED_ADDR) {
+		/* from VEX to VE0 */
+		if (!br_port_get_rcu(dev) &&
+			compare_ether_addr(((struct ethhdr *)skb->data)->h_source, dev->dev_addr))
+				return 0;
+	}
+
+	return 1;
+}
+
 static netdev_tx_t veth_xmit(struct sk_buff *skb, struct net_device *dev)
 {
 	struct veth_priv *priv = netdev_priv(dev);
@@ -124,6 +150,10 @@ static netdev_tx_t veth_xmit(struct sk_buff *skb, struct net_device *dev)
 	    rcv->features & NETIF_F_RXCSUM)
 		skb->ip_summed = CHECKSUM_UNNECESSARY;
 
+
+	if (dev->features & NETIF_F_VENET && !vzethdev_filter(skb, dev, rcv))
+		goto drop;
+
 	if (likely(dev_forward_skb(rcv, skb) == NET_RX_SUCCESS)) {
 		struct pcpu_vstats *stats = this_cpu_ptr(dev->vstats);

More information about the Devel mailing list