[Devel] [PATCH RHEL7 COMMIT] ve/iptables: fix mask initialization and changing

Tue Jun 30 07:28:56 PDT 2015

The commit is pushed to "branch-rh7-3.10.0-123.1.2-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-123.1.2.vz7.5.23
------>
commit 256d400af10b3e8298834f2e6e384e57adba5386
Author: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Date:   Tue Jun 30 18:28:56 2015 +0400

    ve/iptables: fix mask initialization and changing
    
    Patchset description:
    
    ve: fix initialization and remove sysctl_fsync_enable
    
    v2:
    - initialize only on ve cgroup creation, remove get_ve_features
    - rename setup_iptables_mask into ve_setup_iptables_mask
    
    https://jira.sw.ru/browse/PSBM-34286
    https://jira.sw.ru/browse/PSBM-34285
    
    Pavel Tikhomirov (4):
      ve: remove sysctl_fsync_enable and use ve_fsync_behavior instead
      ve: initialize fsync_enable also for non ve0 environment
      ve: iptables: fix mask initialization and changing
      ve: cgroup: initialize odirect_enable, features and _randomize_va_space
    
    =====================================================================
    This patch description:
    
    - initialize mask on ve cgroup creation
    - put ipt_mask under CONFIG_VE_IPTABLES
    - reuse setup_iptables_mask
    
    v2: rename setup_iptables_mask into ve_setup_iptables_mask
    Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
 include/linux/ve.h  |  4 ++++
 kernel/ve/Makefile  |  2 ++
 kernel/ve/ve.c      | 59 ++++++++++++++++++++++++++++++++++-------------------
 kernel/ve/vecalls.c | 29 +-------------------------
 4 files changed, 45 insertions(+), 49 deletions(-)

diff --git a/include/linux/ve.h b/include/linux/ve.h
index 5489cab..7ba3f92 100644
--- a/include/linux/ve.h
+++ b/include/linux/ve.h
@@ -154,6 +154,10 @@ extern int nr_ve;
 extern struct proc_dir_entry *proc_vz_dir;
 extern struct cgroup_subsys ve_subsys;
 
+#ifdef CONFIG_VE_IPTABLES
+extern __u64 ve_setup_iptables_mask(__u64 init_mask);
+#endif
+
 #ifdef CONFIG_VE
 #define ve_uevent_seqnum       (get_exec_env()->_uevent_seqnum)
 
diff --git a/kernel/ve/Makefile b/kernel/ve/Makefile
index c45948f..c32e03d 100644
--- a/kernel/ve/Makefile
+++ b/kernel/ve/Makefile
@@ -20,6 +20,8 @@ obj-$(CONFIG_VE_CALLS) += vzstat.o
 
 obj-$(CONFIG_VZ_IOLIMIT) += vziolimit.o
 
+obj-$(CONFIG_VE_IPTABLES) += ve.o
+
 obj-m += dummy/ip6_vzprivnet.o
 obj-m += dummy/ip_vzprivnet.o
 obj-m += dummy/pio_nfs.o
diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c
index 9e37dd5..946b0d6 100644
--- a/kernel/ve/ve.c
+++ b/kernel/ve/ve.c
@@ -613,6 +613,34 @@ void ve_exit_ns(struct pid_namespace *pid_ns)
 	put_ve(ve); /* from ve_start_container() */
 }
 
+#ifdef CONFIG_VE_IPTABLES
+
+__u64 ve_setup_iptables_mask(__u64 init_mask)
+{
+	/* Remove when userspace will start supplying IPv6-related bits. */
+	init_mask &= ~VE_IP_IPTABLES6;
+	init_mask &= ~VE_IP_FILTER6;
+	init_mask &= ~VE_IP_MANGLE6;
+	init_mask &= ~VE_IP_IPTABLE_NAT_MOD;
+	init_mask &= ~VE_NF_CONNTRACK_MOD;
+
+	if (mask_ipt_allow(init_mask, VE_IP_IPTABLES))
+		init_mask |= VE_IP_IPTABLES6;
+	if (mask_ipt_allow(init_mask, VE_IP_FILTER))
+		init_mask |= VE_IP_FILTER6;
+	if (mask_ipt_allow(init_mask, VE_IP_MANGLE))
+		init_mask |= VE_IP_MANGLE6;
+	if (mask_ipt_allow(init_mask, VE_IP_NAT))
+		init_mask |= VE_IP_IPTABLE_NAT;
+	if (mask_ipt_allow(init_mask, VE_IP_CONNTRACK))
+		init_mask |= VE_NF_CONNTRACK;
+
+	return init_mask;
+}
+EXPORT_SYMBOL(ve_setup_iptables_mask);
+
+#endif
+
 static struct cgroup_subsys_state *ve_create(struct cgroup *cg)
 {
 	struct ve_struct *ve = &ve0;
@@ -636,6 +664,10 @@ static struct cgroup_subsys_state *ve_create(struct cgroup *cg)
 
 	ve->fsync_enable = 2;
 
+#ifdef CONFIG_VE_IPTABLES
+	ve->ipt_mask = ve_setup_iptables_mask(VE_IP_DEFAULT);
+#endif
+
 	ve->sched_lat_ve.cur = alloc_percpu(struct kstat_lat_pcpu_snap_struct);
 	if (!ve->sched_lat_ve.cur)
 		goto err_lat;
@@ -1071,8 +1103,10 @@ static u64 ve_read_u64(struct cgroup *cg, struct cftype *cft)
 {
 	if (cft->private == VE_CF_FEATURES)
 		return cgroup_ve(cg)->features;
+#ifdef CONFIG_VE_IPTABLES
 	else if (cft->private == VE_CF_IPTABLES_MASK)
 		return cgroup_ve(cg)->ipt_mask;
+#endif
 	return 0;
 }
 
@@ -1091,27 +1125,10 @@ static int ve_write_u64(struct cgroup *cg, struct cftype *cft, u64 value)
 
 	if (cft->private == VE_CF_FEATURES)
 		ve->features = value;
-	else if (cft->private == VE_CF_IPTABLES_MASK) {
-		value &= ~VE_IP_IPTABLES6;
-		value &= ~VE_IP_FILTER6;
-		value &= ~VE_IP_MANGLE6;
-		value &= ~VE_IP_IPTABLE_NAT_MOD;
-		value &= ~VE_NF_CONNTRACK_MOD;
-
-		if (mask_ipt_allow(value, VE_IP_IPTABLES))
-			value |= VE_IP_IPTABLES6;
-		if (mask_ipt_allow(value, VE_IP_FILTER))
-			value |= VE_IP_FILTER6;
-		if (mask_ipt_allow(value, VE_IP_MANGLE))
-			value |= VE_IP_MANGLE6;
-		if (mask_ipt_allow(value, VE_IP_NAT))
-			value |= VE_IP_IPTABLE_NAT;
-		if (mask_ipt_allow(value, VE_IP_CONNTRACK))
-			value |= VE_NF_CONNTRACK;
-
-		ve->ipt_mask = value;
-	}
-
+#ifdef CONFIG_VE_IPTABLES
+	else if (cft->private == VE_CF_IPTABLES_MASK)
+		ve->ipt_mask = ve_setup_iptables_mask(value);
+#endif
 	up_write(&ve->op_sem);
 	return 0;
 }
diff --git a/kernel/ve/vecalls.c b/kernel/ve/vecalls.c
index be4fb1e..00c5c04 100644
--- a/kernel/ve/vecalls.c
+++ b/kernel/ve/vecalls.c
@@ -224,33 +224,6 @@ static __u64 get_ve_features(env_create_param_t *data, int datalen)
 		(VE_FEATURES_DEF & ~known_features);
 }
 
-#ifdef CONFIG_VE_IPTABLES
-
-static __u64 setup_iptables_mask(__u64 init_mask)
-{
-	/* Remove when userspace will start supplying IPv6-related bits. */
-	init_mask &= ~VE_IP_IPTABLES6;
-	init_mask &= ~VE_IP_FILTER6;
-	init_mask &= ~VE_IP_MANGLE6;
-	init_mask &= ~VE_IP_IPTABLE_NAT_MOD;
-	init_mask &= ~VE_NF_CONNTRACK_MOD;
-
-	if (mask_ipt_allow(init_mask, VE_IP_IPTABLES))
-		init_mask |= VE_IP_IPTABLES6;
-	if (mask_ipt_allow(init_mask, VE_IP_FILTER))
-		init_mask |= VE_IP_FILTER6;
-	if (mask_ipt_allow(init_mask, VE_IP_MANGLE))
-		init_mask |= VE_IP_MANGLE6;
-	if (mask_ipt_allow(init_mask, VE_IP_NAT))
-		init_mask |= VE_IP_IPTABLE_NAT;
-	if (mask_ipt_allow(init_mask, VE_IP_CONNTRACK))
-		init_mask |= VE_NF_CONNTRACK;
-
-	return init_mask;
-}
-
-#endif
-
 static int init_ve_struct(struct ve_struct *ve,
 		u32 class_id, env_create_param_t *data, int datalen)
 {
@@ -265,7 +238,7 @@ static int init_ve_struct(struct ve_struct *ve,
 	/* Set up ipt_mask as it will be used during
 	 * net namespace initialization
 	 */
-	ve->ipt_mask = setup_iptables_mask(data ? data->iptables_mask
+	ve->ipt_mask = ve_setup_iptables_mask(data ? data->iptables_mask
 						: VE_IP_DEFAULT);
 #endif
 

