[Devel] [PATCH RH7 7/9] Port: diff-fence-watchdog-add-wdog_tmo-match

Tue Oct 13 07:52:57 PDT 2015

fix wdog_tmo_mt and wdog_tmo_mt_check to match prototypes

Author: Dmitry Guryanov
Email: dguryanov at parallels.com
Subject: watchdog: add wdog_tmo match
Date: Fri, 8 Nov 2013 22:38:09 +0400

Add wdog_tmo netfilter match, which returns true if out watchdog
timeout exceed.

You have to set watchdog action to 'netfilter', so that host won't
reboot or halt.

Fix for:
https://jira.sw.ru/browse/PSBM-23253

Dmitry Guryanov (2):
  watchdog: add netfilter action
  watchdog: add wdog_tmo match

This patch description:

Add wdog_tmo match, which could be used to forbid network
traffic in case of watchdog timeout.

This match doesn't have any parameters, example of usage:
iptables -A OUTPUT -m wdog_tmo -j DROP

You have to add support of this match to userspace iptables part.

Signed-off-by: Dmitry Guryanov <dguryanov at parallels.com>
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
 include/linux/fence-watchdog.h |  1 +
 kernel/fence-watchdog.c        |  6 +++++
 net/netfilter/Kconfig          |  6 +++++
 net/netfilter/Makefile         |  1 +
 net/netfilter/xt_wdog_tmo.c    | 51 ++++++++++++++++++++++++++++++++++++++++++
 5 files changed, 65 insertions(+)
 create mode 100644 net/netfilter/xt_wdog_tmo.c

diff --git a/include/linux/fence-watchdog.h b/include/linux/fence-watchdog.h
index b1e61bc..b56afe2 100644
--- a/include/linux/fence-watchdog.h
+++ b/include/linux/fence-watchdog.h
@@ -2,5 +2,6 @@
 #define _LINUX_FENCE_WATCHDOG_H_
 
 inline int fence_wdog_check_timer(void);
+bool fence_wdog_tmo_match(void);
 
 #endif
diff --git a/kernel/fence-watchdog.c b/kernel/fence-watchdog.c
index 0e6b7ec..572ef40 100644
--- a/kernel/fence-watchdog.c
+++ b/kernel/fence-watchdog.c
@@ -84,6 +84,12 @@ inline int fence_wdog_check_timer(void)
 	return 0;
 }
 
+bool fence_wdog_tmo_match(void)
+{
+	return get_jiffies_64() > fence_wdog_jiffies64;
+}
+EXPORT_SYMBOL(fence_wdog_tmo_match);
+
 static ssize_t fence_wdog_timer_show(struct kobject *kobj,
 		struct kobj_attribute *attr, char *buf)
 {
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 1abf802..2a460c0 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -1410,6 +1410,12 @@ config NETFILTER_XT_MATCH_U32
 
 	  Details and examples are in the kernel module source.
 
+config NETFILTER_XT_MATCH_WDOG_TMO
+	tristate '"wdog_tmo" watchdog timer match'
+	depends on NETFILTER_ADVANCED && NETFILTER_NETLINK && FENCE_WATCHDOG
+	help
+	  This option selects the watchdog timer match module.
+
 endif # NETFILTER_XTABLES
 
 endmenu
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 3c09d98..96faa08 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -165,6 +165,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_STRING) += xt_string.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_TIME) += xt_time.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_U32) += xt_u32.o
+obj-$(CONFIG_NETFILTER_XT_MATCH_WDOG_TMO) += xt_wdog_tmo.o
 
 # ipset
 obj-$(CONFIG_IP_SET) += ipset/
diff --git a/net/netfilter/xt_wdog_tmo.c b/net/netfilter/xt_wdog_tmo.c
new file mode 100644
index 0000000..e6f8cd5
--- /dev/null
+++ b/net/netfilter/xt_wdog_tmo.c
@@ -0,0 +1,51 @@
+/*
+ *  net/netfilter/xt_wdog_tmo.c
+ *
+ *  Copyright (C) 2013, Parallels inc.
+ *  All rights reserved.
+ *
+ */
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/file.h>
+#include <net/sock.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/fence-watchdog.h>
+
+static bool
+wdog_tmo_mt(const struct sk_buff *skb, struct xt_action_param *par)
+{
+	return fence_wdog_tmo_match();
+}
+
+int wdog_tmo_mt_check(const struct xt_mtchk_param *par)
+{
+
+	return ve_is_super(get_exec_env());
+}
+
+static struct xt_match wdog_tmo_mt_reg __read_mostly = {
+		.name       = "wdog_tmo",
+		.revision   = 0,
+		.family     = NFPROTO_UNSPEC,
+		.match      = wdog_tmo_mt,
+		.checkentry = wdog_tmo_mt_check,
+		.matchsize  = 0,
+		.me         = THIS_MODULE,
+};
+
+static int __init wdog_tmo_mt_init(void)
+{
+	return xt_register_match(&wdog_tmo_mt_reg);
+}
+
+static void __exit wdog_tmo_mt_exit(void)
+{
+	xt_unregister_match(&wdog_tmo_mt_reg);
+}
+
+module_init(wdog_tmo_mt_init);
+module_exit(wdog_tmo_mt_exit);
+MODULE_AUTHOR("Dmitry Guryanov <dguryanov at parallels.com>");
+MODULE_DESCRIPTION("Xtables: fence watchdog timeout matching");
+MODULE_LICENSE("GPL");
-- 
1.9.3


