[Devel] [PATCH RHEL7 COMMIT] ve/netfilter: Add permittion check in iptable_raw pernet
Konstantin Khorenko
khorenko at virtuozzo.com
Wed Jun 10 07:49:21 PDT 2015
The commit is pushed to "branch-rh7-3.10.0-123.1.2-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-123.1.2.vz7.5.12
------>
commit 26c7893dfc97569f718e6390afe0db26f9078376
Author: Kirill Tkhai <ktkhai at odin.com>
Date: Wed Jun 10 18:49:21 2015 +0400
ve/netfilter: Add permittion check in iptable_raw pernet
Porting patch diff-ve-netfilter-add-permittion-check-in-iptable_raw-pernet-operations
from 2.6.32:
iptable_raw's default match and target needs in VE_IP_IPTABLES
permittions. If it's not allowed, than pernet init fails.
Add check for the permittion and skip iptable_raw registration,
if VE_IP_IPTABLES is not allowed.
https://jira.sw.ru/browse/PSBM-27181
Signed-off-by: Kirill Tkhai <ktkhai at parallels.com>
---
net/ipv4/netfilter/iptable_raw.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c
index 44b8fc1..6627256 100644
--- a/net/ipv4/netfilter/iptable_raw.c
+++ b/net/ipv4/netfilter/iptable_raw.c
@@ -42,18 +42,29 @@ static int __net_init iptable_raw_net_init(struct net *net)
{
struct ipt_replace *repl;
+ if (!net_ipt_permitted(net, VE_IP_IPTABLES))
+ return 0;
+
repl = ipt_alloc_initial_table(&packet_raw);
if (repl == NULL)
return -ENOMEM;
net->ipv4.iptable_raw =
ipt_register_table(net, &packet_raw, repl);
kfree(repl);
+
+ net_ipt_module_set(net, VE_IP_IPTABLES);
+
return PTR_RET(net->ipv4.iptable_raw);
}
static void __net_exit iptable_raw_net_exit(struct net *net)
{
+ if (!net_is_ipt_module_set(net, VE_IP_IPTABLES))
+ return;
+
ipt_unregister_table(net, net->ipv4.iptable_raw);
+
+ net_ipt_module_clear(net, VE_IP_IPTABLES);
}
static struct pernet_operations iptable_raw_net_ops = {
More information about the Devel
mailing list