[Devel] [PATCH RHEL7 COMMIT] vzprivnet: Allow internet access for weak private networks

Konstantin Khorenko khorenko at virtuozzo.com
Thu Mar 24 08:53:40 PDT 2016 

The commit is pushed to "branch-rh7-3.10.0-327.10.1.vz7.12.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-327.10.1.vz7.12.3
------>
commit fe7fe7c40308523be30aa9990f8c4a7ea568b509
Author: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Date:   Thu Mar 24 19:53:40 2016 +0400

    vzprivnet: Allow internet access for weak private networks
    
    Port diff-vzprivnet-kill-weak-to-weak-communications
      VZPRIVNET: allow internet access to weak private networks
    
      All communications between weak private networks will be dropped from
      now.
      Except internet connection packets.
    
      Jira: https://jira.sw.ru/browse/PCLIN-28916
    
      Ported from rhel5
    
      Signed-off-by: Stanislav Kinsbursky <skinsbursky at parallels.com>
    
    Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
 include/linux/vzprivnet.h          | 1 +
 net/ipv4/netfilter/ip_vzprivnet.c  | 4 ++--
 net/ipv6/netfilter/ip6_vzprivnet.c | 4 ++--
 3 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/include/linux/vzprivnet.h b/include/linux/vzprivnet.h
index fb345db..3b6ee0e 100644
--- a/include/linux/vzprivnet.h
+++ b/include/linux/vzprivnet.h
@@ -16,5 +16,6 @@ void vzprivnet_unreg_show(vzprivnet_show_fn);
 
 #define VZPRIVNET_STRONG       0
 #define VZPRIVNET_WEAK         1
+#define VZPRIVNET_INET         2
 
 #endif
diff --git a/net/ipv4/netfilter/ip_vzprivnet.c b/net/ipv4/netfilter/ip_vzprivnet.c
index 2c72dd3..2045951 100644
--- a/net/ipv4/netfilter/ip_vzprivnet.c
+++ b/net/ipv4/netfilter/ip_vzprivnet.c
@@ -191,7 +191,7 @@ static struct vzprivnet_range *legacy_next(struct vzprivnet_range *p)
 
 static struct vzprivnet vzpriv_internet = {
 	.nmask = 0,
-	.weak = VZPRIVNET_WEAK
+	.weak = VZPRIVNET_INET
 };
 
 static struct vzprivnet *vzpriv_search(u32 ip)
@@ -229,7 +229,7 @@ static noinline unsigned int vzprivnet_classify(struct sk_buff *skb, int type)
 		else
 			res = VZPRIV_MARK_DROP;
 	} else {
-		if (p1->weak && p2->weak)
+		if (p1->weak + p2->weak >= 3)
 			res = VZPRIV_MARK_ACCEPT;
 		else
 			res = VZPRIV_MARK_DROP;
diff --git a/net/ipv6/netfilter/ip6_vzprivnet.c b/net/ipv6/netfilter/ip6_vzprivnet.c
index 9d02cb5..ff8ac77 100644
--- a/net/ipv6/netfilter/ip6_vzprivnet.c
+++ b/net/ipv6/netfilter/ip6_vzprivnet.c
@@ -120,7 +120,7 @@ static struct vzprivnet_entry *vzprivnet6_lookup(u32 *ip)
 }
 
 struct vzprivnet internet = {
-	.weak = VZPRIVNET_WEAK,
+	.weak = VZPRIVNET_INET,
 };
 
 static inline struct vzprivnet *vzprivnet6_lookup_net(u32 *ip)
@@ -334,7 +334,7 @@ static unsigned int vzprivnet6_hook(struct sk_buff *skb, int can_be_bridge)
 
 	if (src == dst)
 		verdict = NF_ACCEPT;
-	else if (src->weak && dst->weak)
+	else if (src->weak + dst->weak >= 3)
 		verdict = NF_ACCEPT;
 
 	read_unlock(&vzpriv6lock);

More information about the Devel mailing list