[Devel] [PATCH RHEL7 COMMIT] ve/kmod: Add rules for autoloading (new) nf_tables

Konstantin Khorenko khorenko at virtuozzo.com
Fri May 29 01:01:52 PDT 2015 

The commit is pushed to "branch-rh7-3.10.0-123.1.2-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-123.1.2.vz7.5.7
------>
commit 5f6dbce004ffb21b500d930b46d2b85287619f6d
Author: Kirill Tkhai <ktkhai at odin.com>
Date:   Fri May 29 12:01:52 2015 +0400

    ve/kmod: Add rules for autoloading (new) nf_tables
    
    nf_tables is a new netfilter table. Add autoload permittions
    like we have for {ip,ip6,x}tables.
    
    https://jira.sw.ru/browse/PSBM-33631
    
    Signed-off-by: Kirill Tkhai <ktkhai at odin.com>
    Reviewed-by: Cyrill Gorcunov <gorcunov at odin.com>
---
 kernel/kmod.c | 47 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)

diff --git a/kernel/kmod.c b/kernel/kmod.c
index b77bbc5..2daabea 100644
--- a/kernel/kmod.c
+++ b/kernel/kmod.c
@@ -267,9 +267,52 @@ static struct {
 	{ "ip_conntrack",	VE_NF_CONNTRACK|VE_IP_CONNTRACK },
 	{ "nf_conntrack-10",	VE_NF_CONNTRACK|VE_IP_CONNTRACK },
 	{ "nf_conntrack_ipv6",	VE_NF_CONNTRACK|VE_IP_CONNTRACK },
+
+	{ "nft-set",		VE_IP_IPTABLES			},
+	{ "nft-afinfo-2",	VE_IP_IPTABLES			}, /* IPV4 */
+	{ "nft-afinfo-3",	VE_IP_IPTABLES			}, /* ARP  */
+	{ "nft-afinfo-10",	VE_IP_IPTABLES6			}, /* IPV6 */
+
+	{ "nft-chain-2-nat",	VE_IP_IPTABLES|VE_IP_NAT	},
+	{ "nft-chain-2-route",	VE_IP_IPTABLES			},
+
+	{ "nft-chain-10-nat",	VE_IP_IPTABLES6|VE_IP_NAT	},
+	{ "nft-chain-10-route",	VE_IP_IPTABLES6		},
+
+	{ "nft-expr-2-reject",	VE_IP_IPTABLES			},
+	{ "nft-expr-10-reject",	VE_IP_IPTABLES6			},
 };
 
 /*
+ *  Check if module named nft-expr-name is allowed.
+ *  We pass only tail name part to this function.
+ */
+static bool nft_expr_allowed(const char *name)
+{
+	u64 permitted = get_exec_env()->ipt_mask;
+
+	if (!name[0])
+		return false;
+
+	if (!strcmp(name, "ct"))
+		return mask_ipt_allow(permitted, VE_IP_CONNTRACK);
+
+	if (!strcmp(name, "nat"))
+		return mask_ipt_allow(permitted, VE_IP_NAT);
+
+	/*
+	 * We are interested in modules like nft-expr-xxx.
+	 * Expressions like nft-expr-xxx-yyy currently are
+	 * handled in ve0_am table. So expr does not cointain
+	 * minus
+	 */
+	if (!strchr(name, '-'))
+		return mask_ipt_allow(permitted, VE_IP_IPTABLES) |
+		       mask_ipt_allow(permitted, VE_IP_IPTABLES6);
+	return false;
+}
+
+/*
  * module_payload_allowed - check if module functionality is allowed
  * 			    to be used inside current virtual enviroment.
  *
@@ -310,6 +353,10 @@ bool module_payload_allowed(const char *module)
 	if (!strncmp("ebt_", module, 4))
 		return true;
 
+	/* The rest of nft- modules */
+	if (!strncmp("nft-expr-", module, 9))
+		return nft_expr_allowed(module + 9);
+
 	return false;
 }
 #endif /* CONFIG_VE_IPTABLES */

More information about the Devel mailing list