[Devel] [PATCH RHEL7 COMMIT] ve/net, netfilter: Adjust REDIRECT target on venet device

Konstantin Khorenko khorenko at virtuozzo.com
Thu Feb 9 07:26:45 PST 2017 

The commit is pushed to "branch-rh7-3.10.0-514.6.1.vz7.28.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-514.6.1.vz7.28.5
------>
commit c4830e4a3076841c4544c022d06ad060b322a800
Author: Cyrill Gorcunov <gorcunov at virtuozzo.com>
Date:   Thu Feb 9 19:26:44 2017 +0400

    ve/net,netfilter: Adjust REDIRECT target on venet device
    
    Mostly backported from pcs6 code except I added:
    
     - CONFIG_VE to be able to find this snippet in future
     - Use NETIF_F_VENET so non-venet devices won't be affected
    
    Without this snippet redirection doesn't work. A simple test case:
    
     - run centos-7 container with some IP assigned and "--netfilter full"
       option in config
    
     - add the following rules inside container
    
       iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
       iptables -D FORWARD -j REJECT --reject-with icmp-host-prohibited
       iptables -t nat -A PREROUTING -p tcp -m tcp --dport 8080 -j REDIRECT --to-ports 80
    
     - go on node and run
    
       curl -i $IPADDR:80
       curl -i $IPADDR:8080
    
    Both should return apache's starting page.
    
    v2 (by vvs@):
     - lookup over all addresses bound to venet until first nonloopback
    
    https://jira.sw.ru/browse/PSBM-59983
    
    Signed-off-by: Cyrill Gorcunov <gorcunov at virtuozzo.com>
---
 net/netfilter/nf_nat_redirect.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/net/netfilter/nf_nat_redirect.c b/net/netfilter/nf_nat_redirect.c
index d438698..b5548d1 100644
--- a/net/netfilter/nf_nat_redirect.c
+++ b/net/netfilter/nf_nat_redirect.c
@@ -57,6 +57,17 @@ nf_nat_redirect_ipv4(struct sk_buff *skb,
 		indev = __in_dev_get_rcu(skb->dev);
 		if (indev && indev->ifa_list) {
 			ifa = indev->ifa_list;
+#ifdef CONFIG_VE
+                       /*
+                        * Because of venet device specific, we should use
+                        * first nonloopback ifa in the list.
+                        */
+			if (skb->dev->features & NETIF_F_VENET) {
+				while (IN_LOOPBACK(ntohl(ifa->ifa_local)) &&
+				       ifa->ifa_next)
+					ifa = ifa->ifa_next;
+			}
+#endif
 			newdst = ifa->ifa_local;
 		}
 		rcu_read_unlock();

More information about the Devel mailing list