[Devel] [PATCH RHEL7 COMMIT] vzprivnet: Do not execute vzprivnet_hook inside CT

Konstantin Khorenko khorenko at virtuozzo.com
Thu Mar 24 08:53:45 PDT 2016 

The commit is pushed to "branch-rh7-3.10.0-327.10.1.vz7.12.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-327.10.1.vz7.12.3
------>
commit d4cfc9b687f5f51eb733afcac00d252c7313ed5c
Author: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Date:   Thu Mar 24 19:53:45 2016 +0400

    vzprivnet: Do not execute vzprivnet_hook inside CT
    
    changes:
    1) there is no skb->owner_env so use skb->dev->nd_net->owner_ve
    having ve of device on which we have an operation
    2) add the same check to ipv6 hooks vzprivnet6_hook
    
    Port diff-vzprivnet-netfilter-do-not-do-vzprivnet_hook-inside-CT
      netfilter: do not do vzprivnet_hook inside CT
    
      In container we drop packets in ip_rcv->ip_forward based on
      vzprivnet_classify, as entries_root and vzpriv_search are not
      virtualized it uses hosts vz private networks in checks.
    
      So if we have private network say 172.0.0.0/8 on host:
      	cat /proc/vz/privnet/legacy
      	172.0.0.0/8/32
      Which has vzprivnet->weak == VZPRIVNET_STRONG(0) any packet
      which came to CT and for instance is DNAT'ed to 172.17.0.2 will
      be dropped in vzprivnet_hook.
    
      Need this for docker, as it uses 172.17.* subnet for docker
      containers, and if we have set vzprivnet mentioned above, docker
      DNAT port frowarding will not work in CTs.
    
      check:
      set vzprivnet:
      	host@ echo "+172.0.0.0/8/32" > /proc/vz/privnet/legacy
      setup docker nginx container in default docker-ready PCS6CT:
      	docker-ready-ct@ docker run -d -p 8080:80 nginx
      connect from host to container ip:
      	host@ curl $docker-ready-ct-ip:8080
      with patch - will work, without - hang.
    
      Odin #2011361 from customer Conetix Pty. Ltd.
    
      https://jira.sw.ru/browse/PSBM-35111
      Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
    
    Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
 net/ipv4/netfilter/ip_vzprivnet.c  | 3 +++
 net/ipv6/netfilter/ip6_vzprivnet.c | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/net/ipv4/netfilter/ip_vzprivnet.c b/net/ipv4/netfilter/ip_vzprivnet.c
index 67f108e..687ad60 100644
--- a/net/ipv4/netfilter/ip_vzprivnet.c
+++ b/net/ipv4/netfilter/ip_vzprivnet.c
@@ -250,6 +250,9 @@ static unsigned int vzprivnet_hook(struct sk_buff *skb, int can_be_bridge)
 	struct dst_entry *dst;
 	unsigned int pmark = VZPRIV_MARK_UNKNOWN;
 
+	if (!ve_is_super(skb->dev->nd_net->owner_ve))
+		return NF_ACCEPT;
+
 	dst = skb_dst(skb);
 	if (dst != NULL) {
 		if (can_be_bridge && dst->output != ip_output) { /* bridge */
diff --git a/net/ipv6/netfilter/ip6_vzprivnet.c b/net/ipv6/netfilter/ip6_vzprivnet.c
index 317a0e6..654f1c2 100644
--- a/net/ipv6/netfilter/ip6_vzprivnet.c
+++ b/net/ipv6/netfilter/ip6_vzprivnet.c
@@ -478,6 +478,9 @@ static unsigned int vzprivnet6_hook(struct sk_buff *skb, int can_be_bridge)
 	struct vzprivnet *dst, *src;
 	struct ipv6hdr *hdr;
 
+	if (!ve_is_super(skb->dev->nd_net->owner_ve))
+		return NF_ACCEPT;
+
 	hdr = ipv6_hdr(skb);
 
 	if (can_be_bridge) {

More information about the Devel mailing list