[Devel] [PATCH RHEL7 COMMIT] net: Mark conntrack users in xtables
Konstantin Khorenko
khorenko at virtuozzo.com
Tue Sep 13 02:09:57 PDT 2016
The commit is pushed to "branch-rh7-3.10.0-327.28.2.vz7.17.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-327.28.2.vz7.17.5
------>
commit ea69e57dd11d6ab6cd2fefbf64993228cdcd002e
Author: Kirill Tkhai <ktkhai at virtuozzo.com>
Date: Tue Sep 13 13:09:57 2016 +0400
net: Mark conntrack users in xtables
Allow conntracks to be allocated in case of these
rules are inserted.
https://jira.sw.ru/browse/PSBM-51050
Signed-off-by: Kirill Tkhai <ktkhai at virtuozzo.com>
Reviewed-by: Andrei Vagin <avagin at virtuozzo.com>
---
net/ipv4/netfilter/ipt_CLUSTERIP.c | 2 ++
net/ipv4/netfilter/ipt_MASQUERADE.c | 1 +
net/ipv4/netfilter/ipt_SYNPROXY.c | 6 +++++-
net/ipv6/netfilter/ip6t_MASQUERADE.c | 1 +
net/ipv6/netfilter/ip6t_SYNPROXY.c | 6 +++++-
net/netfilter/xt_CONNSECMARK.c | 2 ++
net/netfilter/xt_HMARK.c | 1 +
net/netfilter/xt_NETMAP.c | 2 ++
net/netfilter/xt_REDIRECT.c | 2 ++
net/netfilter/xt_cluster.c | 1 +
net/netfilter/xt_connbytes.c | 2 ++
net/netfilter/xt_connlabel.c | 3 ++-
net/netfilter/xt_connlimit.c | 2 ++
net/netfilter/xt_connmark.c | 3 +++
net/netfilter/xt_conntrack.c | 2 ++
net/netfilter/xt_helper.c | 1 +
net/netfilter/xt_ipvs.c | 1 +
net/netfilter/xt_nat.c | 9 +++++++++
net/netfilter/xt_socket.c | 9 +++++++++
net/netfilter/xt_state.c | 2 ++
20 files changed, 55 insertions(+), 3 deletions(-)
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index 5798d53..84e05cd 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -418,6 +418,8 @@ static int clusterip_tg_check(const struct xt_tgchk_param *par)
if (ret < 0)
pr_info("cannot load conntrack support for proto=%u\n",
par->family);
+ else
+ allow_conntrack_allocation(par->net);
return ret;
}
diff --git a/net/ipv4/netfilter/ipt_MASQUERADE.c b/net/ipv4/netfilter/ipt_MASQUERADE.c
index da7f02a..ae621de 100644
--- a/net/ipv4/netfilter/ipt_MASQUERADE.c
+++ b/net/ipv4/netfilter/ipt_MASQUERADE.c
@@ -41,6 +41,7 @@ static int masquerade_tg_check(const struct xt_tgchk_param *par)
pr_debug("bad rangesize %u\n", mr->rangesize);
return -EINVAL;
}
+ allow_conntrack_allocation(par->net);
return 0;
}
diff --git a/net/ipv4/netfilter/ipt_SYNPROXY.c b/net/ipv4/netfilter/ipt_SYNPROXY.c
index f28cd93..f49f9a3 100644
--- a/net/ipv4/netfilter/ipt_SYNPROXY.c
+++ b/net/ipv4/netfilter/ipt_SYNPROXY.c
@@ -408,12 +408,16 @@ static unsigned int ipv4_synproxy_hook(const struct nf_hook_ops *ops,
static int synproxy_tg4_check(const struct xt_tgchk_param *par)
{
const struct ipt_entry *e = par->entryinfo;
+ int ret;
if (e->ip.proto != IPPROTO_TCP ||
e->ip.invflags & XT_INV_PROTO)
return -EINVAL;
- return nf_ct_l3proto_try_module_get(par->family);
+ ret = nf_ct_l3proto_try_module_get(par->family);
+ if (ret == 0)
+ allow_conntrack_allocation(par->net);
+ return ret;
}
static void synproxy_tg4_destroy(const struct xt_tgdtor_param *par)
diff --git a/net/ipv6/netfilter/ip6t_MASQUERADE.c b/net/ipv6/netfilter/ip6t_MASQUERADE.c
index 7f9f45d..ce15db3 100644
--- a/net/ipv6/netfilter/ip6t_MASQUERADE.c
+++ b/net/ipv6/netfilter/ip6t_MASQUERADE.c
@@ -33,6 +33,7 @@ static int masquerade_tg6_checkentry(const struct xt_tgchk_param *par)
if (range->flags & NF_NAT_RANGE_MAP_IPS)
return -EINVAL;
+ allow_conntrack_allocation(par->net);
return 0;
}
diff --git a/net/ipv6/netfilter/ip6t_SYNPROXY.c b/net/ipv6/netfilter/ip6t_SYNPROXY.c
index 3308621..ee6ccfb 100644
--- a/net/ipv6/netfilter/ip6t_SYNPROXY.c
+++ b/net/ipv6/netfilter/ip6t_SYNPROXY.c
@@ -432,13 +432,17 @@ static unsigned int ipv6_synproxy_hook(const struct nf_hook_ops *ops,
static int synproxy_tg6_check(const struct xt_tgchk_param *par)
{
const struct ip6t_entry *e = par->entryinfo;
+ int ret;
if (!(e->ipv6.flags & IP6T_F_PROTO) ||
e->ipv6.proto != IPPROTO_TCP ||
e->ipv6.invflags & XT_INV_PROTO)
return -EINVAL;
- return nf_ct_l3proto_try_module_get(par->family);
+ ret = nf_ct_l3proto_try_module_get(par->family);
+ if (ret == 0)
+ allow_conntrack_allocation(par->net);
+ return ret;
}
static void synproxy_tg6_destroy(const struct xt_tgdtor_param *par)
diff --git a/net/netfilter/xt_CONNSECMARK.c b/net/netfilter/xt_CONNSECMARK.c
index e04dc28..4a4cee9 100644
--- a/net/netfilter/xt_CONNSECMARK.c
+++ b/net/netfilter/xt_CONNSECMARK.c
@@ -110,6 +110,8 @@ static int connsecmark_tg_check(const struct xt_tgchk_param *par)
if (ret < 0)
pr_info("cannot load conntrack support for proto=%u\n",
par->family);
+ else
+ allow_conntrack_allocation(par->net);
return ret;
}
diff --git a/net/netfilter/xt_HMARK.c b/net/netfilter/xt_HMARK.c
index 73b73f6..48dfe88 100644
--- a/net/netfilter/xt_HMARK.c
+++ b/net/netfilter/xt_HMARK.c
@@ -334,6 +334,7 @@ static int hmark_tg_check(const struct xt_tgchk_param *par)
pr_info("xt_HMARK: spi-set and port-set can't be combined\n");
return -EINVAL;
}
+ allow_conntrack_allocation(par->net);
return 0;
}
diff --git a/net/netfilter/xt_NETMAP.c b/net/netfilter/xt_NETMAP.c
index b253e07..94fd456 100644
--- a/net/netfilter/xt_NETMAP.c
+++ b/net/netfilter/xt_NETMAP.c
@@ -60,6 +60,7 @@ static int netmap_tg6_checkentry(const struct xt_tgchk_param *par)
if (!(range->flags & NF_NAT_RANGE_MAP_IPS))
return -EINVAL;
+ allow_conntrack_allocation(par->net);
return 0;
}
@@ -111,6 +112,7 @@ static int netmap_tg4_check(const struct xt_tgchk_param *par)
pr_debug("bad rangesize %u.\n", mr->rangesize);
return -EINVAL;
}
+ allow_conntrack_allocation(par->net);
return 0;
}
diff --git a/net/netfilter/xt_REDIRECT.c b/net/netfilter/xt_REDIRECT.c
index 22a1030..8a44a07 100644
--- a/net/netfilter/xt_REDIRECT.c
+++ b/net/netfilter/xt_REDIRECT.c
@@ -76,6 +76,7 @@ static int redirect_tg6_checkentry(const struct xt_tgchk_param *par)
if (range->flags & NF_NAT_RANGE_MAP_IPS)
return -EINVAL;
+ allow_conntrack_allocation(par->net);
return 0;
}
@@ -92,6 +93,7 @@ static int redirect_tg4_check(const struct xt_tgchk_param *par)
pr_debug("bad rangesize %u.\n", mr->rangesize);
return -EINVAL;
}
+ allow_conntrack_allocation(par->net);
return 0;
}
diff --git a/net/netfilter/xt_cluster.c b/net/netfilter/xt_cluster.c
index f4af1bf..d7d575e 100644
--- a/net/netfilter/xt_cluster.c
+++ b/net/netfilter/xt_cluster.c
@@ -147,6 +147,7 @@ static int xt_cluster_mt_checkentry(const struct xt_mtchk_param *par)
"higher than the total number of nodes\n");
return -EDOM;
}
+ allow_conntrack_allocation(par->net);
return 0;
}
diff --git a/net/netfilter/xt_connbytes.c b/net/netfilter/xt_connbytes.c
index e595e07..07326a0 100644
--- a/net/netfilter/xt_connbytes.c
+++ b/net/netfilter/xt_connbytes.c
@@ -112,6 +112,8 @@ static int connbytes_mt_check(const struct xt_mtchk_param *par)
if (ret < 0)
pr_info("cannot load conntrack support for proto=%u\n",
par->family);
+ else
+ allow_conntrack_allocation(par->net);
/*
* This filter cannot function correctly unless connection tracking
diff --git a/net/netfilter/xt_connlabel.c b/net/netfilter/xt_connlabel.c
index 9f8719d..bb75e8c 100644
--- a/net/netfilter/xt_connlabel.c
+++ b/net/netfilter/xt_connlabel.c
@@ -57,7 +57,8 @@ static int connlabel_mt_check(const struct xt_mtchk_param *par)
pr_info("cannot load conntrack support for proto=%u\n",
par->family);
return ret;
- }
+ } else
+ allow_conntrack_allocation(par->net);
par->net->ct.labels_used++;
words = BITS_TO_LONGS(info->bit+1);
diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c
index 34aa0ba..72752b1 100644
--- a/net/netfilter/xt_connlimit.c
+++ b/net/netfilter/xt_connlimit.c
@@ -389,6 +389,8 @@ static int connlimit_mt_check(const struct xt_mtchk_param *par)
for (i = 0; i < ARRAY_SIZE(info->data->climit_root6); ++i)
info->data->climit_root6[i] = RB_ROOT;
+ allow_conntrack_allocation(par->net);
+
return 0;
}
diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c
index 3059aa3..baf25c2 100644
--- a/net/netfilter/xt_connmark.c
+++ b/net/netfilter/xt_connmark.c
@@ -182,6 +182,7 @@ static int connmark_mt_check_v0(const struct xt_mtchk_param *par)
"proto=%u\n", par->family);
return -EINVAL;
}
+ allow_conntrack_allocation(par->net);
return 0;
}
@@ -207,6 +208,8 @@ static int connmark_mt_check(const struct xt_mtchk_param *par)
if (ret < 0)
pr_info("cannot load conntrack support for proto=%u\n",
par->family);
+ else
+ allow_conntrack_allocation(par->net);
return ret;
}
diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c
index 4846430..bdd398a 100644
--- a/net/netfilter/xt_conntrack.c
+++ b/net/netfilter/xt_conntrack.c
@@ -415,6 +415,8 @@ static int conntrack_mt_check(const struct xt_mtchk_param *par)
if (ret < 0)
pr_info("cannot load conntrack support for proto=%u\n",
par->family);
+ else
+ allow_conntrack_allocation(par->net);
return ret;
}
diff --git a/net/netfilter/xt_helper.c b/net/netfilter/xt_helper.c
index 9f4ab00..230cb1e 100644
--- a/net/netfilter/xt_helper.c
+++ b/net/netfilter/xt_helper.c
@@ -66,6 +66,7 @@ static int helper_mt_check(const struct xt_mtchk_param *par)
return ret;
}
info->name[29] = '\0';
+ allow_conntrack_allocation(par->net);
return 0;
}
diff --git a/net/netfilter/xt_ipvs.c b/net/netfilter/xt_ipvs.c
index 8d47c37..2f74f35 100644
--- a/net/netfilter/xt_ipvs.c
+++ b/net/netfilter/xt_ipvs.c
@@ -161,6 +161,7 @@ static int ipvs_mt_check(const struct xt_mtchk_param *par)
return -EINVAL;
}
+ allow_conntrack_allocation(par->net);
return 0;
}
diff --git a/net/netfilter/xt_nat.c b/net/netfilter/xt_nat.c
index bea7464..27a2020 100644
--- a/net/netfilter/xt_nat.c
+++ b/net/netfilter/xt_nat.c
@@ -23,6 +23,13 @@ static int xt_nat_checkentry_v0(const struct xt_tgchk_param *par)
par->target->name);
return -EINVAL;
}
+ allow_conntrack_allocation(par->net);
+ return 0;
+}
+
+static int xt_nat_checkentry_v1(const struct xt_tgchk_param *par)
+{
+ allow_conntrack_allocation(par->net);
return 0;
}
@@ -129,6 +136,7 @@ static struct xt_target xt_nat_target_reg[] __read_mostly = {
{
.name = "SNAT",
.revision = 1,
+ .checkentry = xt_nat_checkentry_v1,
.target = xt_snat_target_v1,
.targetsize = sizeof(struct nf_nat_range),
.table = "nat",
@@ -139,6 +147,7 @@ static struct xt_target xt_nat_target_reg[] __read_mostly = {
{
.name = "DNAT",
.revision = 1,
+ .checkentry = xt_nat_checkentry_v1,
.target = xt_dnat_target_v1,
.targetsize = sizeof(struct nf_nat_range),
.table = "nat",
diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c
index 1ba6793..102946a 100644
--- a/net/netfilter/xt_socket.c
+++ b/net/netfilter/xt_socket.c
@@ -388,6 +388,12 @@ socket_mt6_v1_v2(const struct sk_buff *skb, struct xt_action_param *par)
}
#endif
+static int socket_mt_v0_check(const struct xt_mtchk_param *par)
+{
+ allow_conntrack_allocation(par->net);
+ return 0;
+}
+
static int socket_mt_v1_check(const struct xt_mtchk_param *par)
{
const struct xt_socket_mtinfo1 *info = (struct xt_socket_mtinfo1 *) par->matchinfo;
@@ -396,6 +402,7 @@ static int socket_mt_v1_check(const struct xt_mtchk_param *par)
pr_info("unknown flags 0x%x\n", info->flags & ~XT_SOCKET_FLAGS_V1);
return -EINVAL;
}
+ allow_conntrack_allocation(par->net);
return 0;
}
@@ -407,6 +414,7 @@ static int socket_mt_v2_check(const struct xt_mtchk_param *par)
pr_info("unknown flags 0x%x\n", info->flags & ~XT_SOCKET_FLAGS_V2);
return -EINVAL;
}
+ allow_conntrack_allocation(par->net);
return 0;
}
@@ -416,6 +424,7 @@ static struct xt_match socket_mt_reg[] __read_mostly = {
.revision = 0,
.family = NFPROTO_IPV4,
.match = socket_mt4_v0,
+ .checkentry = socket_mt_v0_check,
.hooks = (1 << NF_INET_PRE_ROUTING) |
(1 << NF_INET_LOCAL_IN),
.me = THIS_MODULE,
diff --git a/net/netfilter/xt_state.c b/net/netfilter/xt_state.c
index a507922..eb5a50d 100644
--- a/net/netfilter/xt_state.c
+++ b/net/netfilter/xt_state.c
@@ -47,6 +47,8 @@ static int state_mt_check(const struct xt_mtchk_param *par)
if (ret < 0)
pr_info("cannot load conntrack support for proto=%u\n",
par->family);
+ else
+ allow_conntrack_allocation(par->net);
return ret;
}
More information about the Devel
mailing list