[Devel] [PATCH rh7 2/2] net: Add rules for autoloading nf_tables
Kirill Tkhai
ktkhai at odin.com
Tue May 26 04:09:25 PDT 2015
nf_tables is a new netfilter table. Add autoload permittions
like we have for {ip,ip6,x}tables.
https://jira.sw.ru/browse/PSBM-33631
Signed-off-by: Kirill Tkhai <ktkhai at odin.com>
---
kernel/kmod.c | 47 +++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 47 insertions(+)
diff --git a/kernel/kmod.c b/kernel/kmod.c
index a213533..04948ee 100644
--- a/kernel/kmod.c
+++ b/kernel/kmod.c
@@ -280,9 +280,52 @@ static struct {
{ "ip_conntrack", VE_NF_CONNTRACK|VE_IP_CONNTRACK },
{ "nf_conntrack-10", VE_NF_CONNTRACK|VE_IP_CONNTRACK },
{ "nf_conntrack_ipv6", VE_NF_CONNTRACK|VE_IP_CONNTRACK },
+
+ { "nft-set", VE_IP_IPTABLES },
+ { "nft-afinfo-2", VE_IP_IPTABLES }, /* IPV4 */
+ { "nft-afinfo-3", VE_IP_IPTABLES }, /* ARP */
+ { "nft-afinfo-10", VE_IP_IPTABLES6 }, /* IPV6 */
+
+ { "nft-chain-2-nat", VE_IP_IPTABLES|VE_IP_NAT },
+ { "nft-chain-2-route", VE_IP_IPTABLES },
+
+ { "nft-chain-10-nat", VE_IP_IPTABLES6|VE_IP_NAT },
+ { "nft-chain-10-route", VE_IP_IPTABLES6 },
+
+ { "nft-expr-2-reject", VE_IP_IPTABLES },
+ { "nft-expr-10-reject", VE_IP_IPTABLES6 },
};
/*
+ * Check if module named nft-expr-name is allowed.
+ * We pass only tail name part to this function.
+ */
+static bool nft_expr_allowed(const char *name)
+{
+ u64 permitted = get_exec_env()->ipt_mask;
+
+ if (!name[0])
+ return false;
+
+ if (!strcmp(name, "ct"))
+ return mask_ipt_allow(permitted, VE_IP_CONNTRACK);
+
+ if (!strcmp(name, "nat"))
+ return mask_ipt_allow(permitted, VE_IP_NAT);
+
+ /*
+ * We are interested in modules like nft-expr-xxx.
+ * Expressions like nft-expr-xxx-yyy currently are
+ * handled in ve0_am table. So expr does not cointain
+ * minus
+ */
+ if (!strchr(name, '-'))
+ return mask_ipt_allow(permitted, VE_IP_IPTABLES) |
+ mask_ipt_allow(permitted, VE_IP_IPTABLES6);
+ return false;
+}
+
+/*
* module_payload_allowed - check if module functionality is allowed
* to be used inside current virtual enviroment.
*
@@ -323,6 +366,10 @@ bool module_payload_allowed(const char *module)
if (!strncmp("ebt_", module, 4))
return true;
+ /* The rest of nft- modules */
+ if (!strncmp("nft-expr-", module, 9))
+ return nft_expr_allowed(module + 9);
+
return false;
}
#endif /* CONFIG_VE_IPTABLES */
More information about the Devel
mailing list