[Devel] [PATCH RHEL7 COMMIT] vzprivnet: Check for bridged skbs in privnet properly
Konstantin Khorenko
khorenko at virtuozzo.com
Thu Mar 24 08:53:36 PDT 2016
The commit is pushed to "branch-rh7-3.10.0-327.10.1.vz7.12.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-327.10.1.vz7.12.3
------>
commit d02736fc7e9fa2d9c9c4bf4c696bf2a366e61c53
Author: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Date: Thu Mar 24 19:53:36 2016 +0400
vzprivnet: Check for bridged skbs in privnet properly
Port diff-vz-privnet-check-for-bridge-properly
privnet: Check for bridged skbs in privnet properly
The existing check for skb->nf_bridge is not good. This mark
lives with an SKB till its death :(
The better check is to make sure SKB came from not ip_forward ;)
https://jira.sw.ru:9443/browse/PSBM-6635
Ported from rhel5
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
net/ipv4/netfilter/ip_vzprivnet.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/net/ipv4/netfilter/ip_vzprivnet.c b/net/ipv4/netfilter/ip_vzprivnet.c
index cf08d22..d96043f 100644
--- a/net/ipv4/netfilter/ip_vzprivnet.c
+++ b/net/ipv4/netfilter/ip_vzprivnet.c
@@ -245,16 +245,17 @@ static unsigned int vzprivnet_hook(const struct nf_hook_ops *ops,
struct dst_entry *dst;
unsigned int pmark = VZPRIV_MARK_UNKNOWN;
- if ((*pskb)->nf_bridge != NULL) {
- if (!vzpn_handle_bridged)
- return NF_ACCEPT;
- else
- return vzprivnet_classify(skb, 1);
- }
-
dst = skb_dst(skb);
- if (dst != NULL)
+ if (dst != NULL) {
+ if (dst->input != ip_forward) { /* bridge */
+ if (!vzpn_handle_bridged)
+ return NF_ACCEPT;
+ else
+ return vzprivnet_classify(skb, 1);
+ }
+
pmark = dst_pmark_get(dst);
+ }
if (unlikely(pmark == VZPRIV_MARK_UNKNOWN)) {
pmark = vzprivnet_classify(skb, 0);
More information about the Devel
mailing list