[Devel] [PATCH RHEL7 COMMIT] ve/net: ip_vti: skip per net init in ve
Konstantin Khorenko
khorenko at virtuozzo.com
Fri Jun 24 03:30:29 PDT 2016
The commit is pushed to "branch-rh7-3.10.0-327.18.2.vz7.14.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-327.18.2.vz7.14.19
------>
commit cded649a61aff2ad6a2d0f521b18501f6f5c1f31
Author: Vladimir Davydov <vdavydov at virtuozzo.com>
Date: Fri Jun 24 14:30:29 2016 +0400
ve/net: ip_vti: skip per net init in ve
ip_vti devices lack NETIF_F_VIRTUAL, so they can't be created inside a
container. Problem is a device of this kind is created on net ns init if
the module is loaded, as a result a container start fails with EPERM.
We could allow ip_vti inside container (as well as other net devices,
which I would really like to do), but this is insecure and might break
migration, so let's keep it disabled and fix the issue by silently
skipping ip_vti per net init if running inside a ve.
https://jira.sw.ru/browse/PSBM-48698
Signed-off-by: Vladimir Davydov <vdavydov at virtuozzo.com>
Tested-by: Evgenii Shatokhin <eshatokhin at virtuozzo.com>
---
net/ipv4/ip_vti.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c
index ce80a9a..3158100 100644
--- a/net/ipv4/ip_vti.c
+++ b/net/ipv4/ip_vti.c
@@ -58,6 +58,9 @@ static int vti_input(struct sk_buff *skb, int nexthdr, __be32 spi,
struct net *net = dev_net(skb->dev);
struct ip_tunnel_net *itn = net_generic(net, vti_net_id);
+ if (itn == NULL)
+ return -EINVAL;
+
tunnel = ip_tunnel_lookup(itn, skb->dev->ifindex, TUNNEL_NO_KEY,
iph->saddr, iph->daddr, 0);
if (tunnel != NULL) {
@@ -256,6 +259,9 @@ static int vti4_err(struct sk_buff *skb, u32 info)
int protocol = iph->protocol;
struct ip_tunnel_net *itn = net_generic(net, vti_net_id);
+ if (itn == NULL)
+ return -1;
+
tunnel = ip_tunnel_lookup(itn, skb->dev->ifindex, TUNNEL_NO_KEY,
iph->daddr, iph->saddr, 0);
if (!tunnel)
@@ -413,6 +419,9 @@ static int __net_init vti_init_net(struct net *net)
int err;
struct ip_tunnel_net *itn;
+ if (!ve_is_super(net->owner_ve))
+ return net_assign_generic(net, vti_net_id, NULL);
+
err = ip_tunnel_init_net(net, vti_net_id, &vti_link_ops, "ip_vti0");
if (err)
return err;
@@ -424,6 +433,9 @@ static int __net_init vti_init_net(struct net *net)
static void __net_exit vti_exit_net(struct net *net)
{
struct ip_tunnel_net *itn = net_generic(net, vti_net_id);
+
+ if (itn == NULL)
+ return;
ip_tunnel_delete_net(itn, &vti_link_ops);
}
@@ -473,6 +485,9 @@ static int vti_newlink(struct net *src_net, struct net_device *dev,
{
struct ip_tunnel_parm parms;
+ if (net_generic(dev_net(dev), vti_net_id) == NULL)
+ return -EACCES;
+
vti_netlink_parms(data, &parms);
return ip_tunnel_newlink(dev, tb, &parms);
}
More information about the Devel
mailing list