[Devel] [PATCH RHEL7 COMMIT] vzprivnet6: Don't handle neighbor solicit packets in bridge

[Konstantin Khorenko]

The commit is pushed to "branch-rh7-3.10.0-327.10.1.vz7.12.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-327.10.1.vz7.12.3
------>
commit 61a86914117e0501c21f8301f5d43a9919ba92d7
Author: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Date:   Thu Mar 24 19:53:38 2016 +0400

    vzprivnet6: Don't handle neighbor solicit packets in bridge
    
    Port diff-vzprivnet6-dont-handle-neigh-solicit-in-bridge
      privnet: Don't consider neighbor solicit packets
    
      Normally these do not get forwarded, but the bridging code does so and
      calls the IP_FORWARD hook on them. Need to allow these packets without
      any checks.
    
      https://jira.sw.ru:9443/browse/PSBM-7078
    
      Ported from rhel5
    
    Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
 net/ipv6/netfilter/ip6_vzprivnet.c | 23 +++++++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

diff --git a/net/ipv6/netfilter/ip6_vzprivnet.c b/net/ipv6/netfilter/ip6_vzprivnet.c
index f87509f..a3667f8 100644
--- a/net/ipv6/netfilter/ip6_vzprivnet.c
+++ b/net/ipv6/netfilter/ip6_vzprivnet.c
@@ -301,19 +301,34 @@ static int sparse6_del(unsigned netid, u32 *ip, int weak)
 	return err;
 }
 
+static inline int is_ipv6_neighbour_solicit(const struct in6_addr *addr)
+{
+	/* see addrconf_addr_solict_mult */
+	return (addr->s6_addr32[0] == __constant_htonl(0xFF020000) &&
+		addr->s6_addr32[1] == 0 &&
+		addr->s6_addr32[2] == __constant_htonl(1) &&
+		(addr->s6_addr32[3] & __constant_htonl(0xFF000000)) == __constant_htonl(0xFF000000));
+}
+
 static unsigned int vzprivnet6_hook(struct sk_buff *skb, int can_be_bridge)
 {
 	int verdict = NF_DROP;
 	struct vzprivnet *dst, *src;
 	struct ipv6hdr *hdr;
 
-	if (can_be_bridge && !vzpn_handle_bridged &&
-			skb_dst(skb) != NULL && skb_dst(skb)->output != ip6_output)
-		return NF_ACCEPT;
+	hdr = ipv6_hdr(skb);
+
+	if (can_be_bridge) {
+		if (!vzpn_handle_bridged &&
+				skb_dst(skb) != NULL &&
+				skb_dst(skb)->output != ip6_output)
+			return NF_ACCEPT;
+		if (is_ipv6_neighbour_solicit(&hdr->daddr))
+			return NF_ACCEPT;
+	}
 
 	read_lock(&vzpriv6lock);
 
-	hdr = ipv6_hdr(skb);
 	src = vzprivnet6_lookup_net(hdr->saddr.in6_u.u6_addr32);
 	dst = vzprivnet6_lookup_net(hdr->daddr.in6_u.u6_addr32);