[Devel] [PATCH RH7 8/9] Port: diff-fence-watchdog-arptables-add -ability-to-filter-by-watchdog-timeout-v5

Tue Oct 13 07:52:58 PDT 2015

Author: Dmitry Guryanov
Email: dguryanov at parallels.com
Subject: fence-watchdog/arptables: add ability to filter by watchdog
timeout
Date: Tue, 19 Nov 2013 12:22:00 +0400

arptable uses fixed structure arpt_arp for passing match
parameters. Let's use flags field of that structure to
indicate, that we want to match by watchdog timeout.

Changes in v5:
	use last possible bits for ARPT_WDOGTMO and ARPT_INV_WDOGTMO.

https://jira.sw.ru/browse/PSBM-23253

Signed-off-by: Dmitry Guryanov <dguryanov at parallels.com>
Acked-by: Andrew Vagin <avagin at parallels.com>
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
 include/uapi/linux/netfilter_arp/arp_tables.h | 7 ++++---
 net/ipv4/netfilter/arp_tables.c               | 9 +++++++++
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/include/uapi/linux/netfilter_arp/arp_tables.h b/include/uapi/linux/netfilter_arp/arp_tables.h
index a5a86a4..cb3aa16 100644
--- a/include/uapi/linux/netfilter_arp/arp_tables.h
+++ b/include/uapi/linux/netfilter_arp/arp_tables.h
@@ -71,9 +71,9 @@ struct arpt_arp {
 };
 
 /* Values for "flag" field in struct arpt_ip (general arp structure).
- * No flags defined yet.
  */
-#define ARPT_F_MASK		0x00	/* All possible flag bits mask. */
+#define ARPT_WDOGTMO		0x80
+#define ARPT_F_MASK		0x80	/* All possible flag bits mask. */
 
 /* Values for "inv" field in struct arpt_arp. */
 #define ARPT_INV_VIA_IN		0x0001	/* Invert the sense of IN IFACE. */
@@ -86,7 +86,8 @@ struct arpt_arp {
 #define ARPT_INV_ARPHRD		0x0080	/* Invert the sense of ARP HRD. */
 #define ARPT_INV_ARPPRO		0x0100	/* Invert the sense of ARP PRO. */
 #define ARPT_INV_ARPHLN		0x0200	/* Invert the sense of ARP HLN. */
-#define ARPT_INV_MASK		0x03FF	/* All possible flag bits mask. */
+#define ARPT_INV_WDOGTMO	0x8000	/* Invert the sense if ARPT_WDOGTMO flag */
+#define ARPT_INV_MASK		0x83FF	/* All possible flag bits mask. */
 
 /* This structure defines each of the firewall rules.  Consists of 3
    parts which are 1) general ARP header stuff 2) match specific
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index f95b6f9..83369df 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -25,6 +25,7 @@
 #include <net/compat.h>
 #include <net/sock.h>
 #include <asm/uaccess.h>
+#include <linux/fence-watchdog.h>
 
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_arp/arp_tables.h>
@@ -112,6 +113,14 @@ static inline int arp_packet_match(const struct arphdr *arphdr,
 
 #define FWINV(bool, invflg) ((bool) ^ !!(arpinfo->invflags & (invflg)))
 
+#ifdef CONFIG_FENCE_WATCHDOG
+	if (FWINV((arpinfo->flags & ARPT_WDOGTMO) && !fence_wdog_tmo_match(),
+		  ARPT_INV_WDOGTMO)) {
+		dprintf("Watchdog timeout mismatch.\n");
+		return 0;
+	}
+#endif
+
 	if (FWINV((arphdr->ar_op & arpinfo->arpop_mask) != arpinfo->arpop,
 		  ARPT_INV_ARPOP)) {
 		dprintf("ARP operation field mismatch.\n");
-- 
1.9.3


