[Devel] [PATCH RHEL7 COMMIT] ve: Add support of iptables mask
Konstantin Khorenko
khorenko at odin.com
Tue May 19 01:00:40 PDT 2015
The commit is pushed to "branch-rh7-3.10.0-123.1.2-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-123.1.2.vz7.5.3
------>
commit a90ad4e8ce17a95a7ba01f40ffd67f9db4f676bd
Author: Cyrill Gorcunov <gorcunov at odin.com>
Date: Tue May 19 12:00:40 2015 +0400
ve: Add support of iptables mask
While working on running Docker on rhel7 kernel I found that we
don't have any interface to setup VE's iptables mask.
So here is a trivial one: new entry in ve/$ID cgroup as @ve.iptables_mask.
https://jira.sw.ru/browse/PSBM-32737
Signed-off-by: Cyrill Gorcunov <gorcunov at odin.com>
CC: Vladimir Davydov <vdavydov at odin.com>
CC: Konstantin Khorenko <khorenko at odin.com>
CC: Pavel Emelyanov <xemul at odin.com>
CC: Andrey Vagin <avagin at odin.com>
---
kernel/ve/ve.c | 30 ++++++++++++++++++++++++++++++
1 file changed, 30 insertions(+)
diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c
index 42b1021..f4af6d2 100644
--- a/kernel/ve/ve.c
+++ b/kernel/ve/ve.c
@@ -1094,12 +1094,15 @@ enum {
VE_CF_STATE,
VE_CF_LEGACY_VEID,
VE_CF_FEATURES,
+ VE_CF_IPTABLES_MASK,
};
static u64 ve_read_u64(struct cgroup *cg, struct cftype *cft)
{
if (cft->private == VE_CF_FEATURES)
return cgroup_ve(cg)->features;
+ else if (cft->private == VE_CF_IPTABLES_MASK)
+ return cgroup_ve(cg)->ipt_mask;
return 0;
}
@@ -1110,6 +1113,26 @@ static int ve_write_u64(struct cgroup *cg, struct cftype *cft, u64 value)
if (cft->private == VE_CF_FEATURES)
cgroup_ve(cg)->features = value;
+ else if (cft->private == VE_CF_IPTABLES_MASK) {
+ value &= ~VE_IP_IPTABLES6;
+ value &= ~VE_IP_FILTER6;
+ value &= ~VE_IP_MANGLE6;
+ value &= ~VE_IP_IPTABLE_NAT_MOD;
+ value &= ~VE_NF_CONNTRACK_MOD;
+
+ if (mask_ipt_allow(value, VE_IP_IPTABLES))
+ value |= VE_IP_IPTABLES6;
+ if (mask_ipt_allow(value, VE_IP_FILTER))
+ value |= VE_IP_FILTER6;
+ if (mask_ipt_allow(value, VE_IP_MANGLE))
+ value |= VE_IP_MANGLE6;
+ if (mask_ipt_allow(value, VE_IP_NAT))
+ value |= VE_IP_IPTABLE_NAT;
+ if (mask_ipt_allow(value, VE_IP_CONNTRACK))
+ value |= VE_NF_CONNTRACK;
+
+ cgroup_ve(cg)->ipt_mask = value;
+ }
return 0;
}
@@ -1147,6 +1170,13 @@ static struct cftype ve_cftypes[] = {
.read_seq_string = ve_os_release_read,
.write_string = ve_os_release_write,
},
+ {
+ .name = "iptables_mask",
+ .flags = CFTYPE_NOT_ON_ROOT,
+ .read_u64 = ve_read_u64,
+ .write_u64 = ve_write_u64,
+ .private = VE_CF_IPTABLES_MASK,
+ },
{ }
};
More information about the Devel
mailing list