[Devel] [PATCH RHEL7 COMMIT] netfilter: MARK -- drop off @table entity to support rhel5 containers, v2

Konstantin Khorenko khorenko at virtuozzo.com
Wed Jun 10 07:39:10 PDT 2015 

The commit is pushed to "branch-rh7-3.10.0-123.1.2-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-123.1.2.vz7.5.12
------>
commit 1794ab839e406052da53afbf6871d29baea27802
Author: Kirill Tkhai <ktkhai at odin.com>
Date:   Wed Jun 10 18:39:09 2015 +0400

    netfilter: MARK -- drop off @table entity to support rhel5 containers, v2
    
    Porting patch diff-ve-netfilter-MARK-drop-off-table-entity-to-support-rhel5-containers-v2:
    
    rhel5 based containers use old iptables (1.3.5 series) which uses
    @revision = 1 when setting up MARK rule
    
     | CT-121-bash-3.2# iptables -A OUTPUT -d 192.168.55.87 -j MARK --set-mark 2000
     | iptables: Unknown error 18446744073709551615
    
    The kernel in turn returns -EINVAL, which comes from a callchain
    
    do_ipt_set_ctl
     do_replace
      translate_table
       find_check_entry
        check_target
         xt_check_target
    
          	if (par->target->table != NULL &&
    	    strcmp(par->target->table, par->table) != 0) {
    		pr_err("%s_tables: %s target: only valid in %s table, not %s\n",
    		       xt_prefix[par->family], par->target->name,
    		       par->target->table, par->table);
    		return -EINVAL;
    	}
    
    here if @revision = 1 is used the @mark_tg_reg has @table = "mangle",
    while by default the iptables 1.3.5 passes "filter" inside arguments
    into the kernel, which in turn cause mismatch here.
    
    Strictly speaking I don't really understand where this @table = mangle
    came from, the vanilla kernel doesn't have it at all (even when was
    supporting @revision = 1, new vanilla kernels operate with @revision = 2
    only).
    
    Neither I see any other potential side effect of dropping off the
    @table limitation here.
    
     | vvs@:
     | .table = mangle was set in in @revision = 0 and @revision = 1 versions of xt_MARK targets
     | These versions was removed from mainline kernel between 2.6.18 and 2.6.32:
     | c8001f7fd5a4684280fddceed9fae9ea2e4fb521 netfilter: xtables: remove xt_MARK v0, v1
     |
     | But we returned them back during our rebase to RHEL6 kernels.
     | It was required to allow old iptables binaries work on new kernels.
     |
     | As far as I understand old iptables should not allow using MARK target in filter table,
     | but it worked de-facto because missing table check in xt_check_target in old kernels.
     |
     | Theoretically current behaviour is correct, we correctly prevent using of wrong iptable rule.
     | But practically we want to keep old incorrect behaviour on new kernels,
     | and therefore I vote to remove .table = "mangle" both from @revision = 0 and from @revision = 1
     | versions of xt_MARK targets.
    
    v2:
     - drop limitation from revision 0 as well
    
    https://jira.sw.ru/browse/PSBM-30390
    
    Signed-off-by: Cyrill Gorcunov <gorcunov at openvz.org>
    
    Reviewed-by: Vasily Averin <vvs at parallels.com>
    CC: Andrey Vagin <avagin at parallels.com>
    Signed-off-by: Kirill Tkhai <ktkhai at odin.com>
---
 net/netfilter/xt_mark.c | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/xt_mark.c b/net/netfilter/xt_mark.c
index db7fbfc..09ef00f 100644
--- a/net/netfilter/xt_mark.c
+++ b/net/netfilter/xt_mark.c
@@ -175,7 +175,14 @@ static struct xt_target mark_tg_reg[] __read_mostly = {
 		.compat_from_user = mark_tg_compat_from_user_v0,
 		.compat_to_user	= mark_tg_compat_to_user_v0,
 #endif
-		.table		= "mangle",
+		/*
+		 * To support rhel5 containers which use iptables 1.3.5
+		 * series (which in turn exploit @revision = 1) we're
+		 * dropping off @table here so kernel won't complain
+		 * if one setting up MARK rule in a fashion of iptables 1.4.2
+		 * series (which exploit @revision = 2).
+		 */
+		/* .table		= "mangle", */
 		.me		= THIS_MODULE,
 	},
 	{
@@ -190,7 +197,14 @@ static struct xt_target mark_tg_reg[] __read_mostly = {
 		.compat_from_user = mark_tg_compat_from_user_v1,
 		.compat_to_user	= mark_tg_compat_to_user_v1,
 #endif
-		.table		= "mangle",
+		/*
+		 * To support rhel5 containers which use iptables 1.3.5
+		 * series (which in turn exploit @revision = 1) we're
+		 * dropping off @table here so kernel won't complain
+		 * if one setting up MARK rule in a fashion of iptables 1.4.2
+		 * series (which exploit @revision = 2).
+		 */
+		/* .table		= "mangle", */
 		.me		= THIS_MODULE,
 	},
 	{

More information about the Devel mailing list