[Devel] [PATCH RHEL7 COMMIT] ve/net, netfilter: Adjust REDIRECT target on venet device

Konstantin Khorenko khorenko at virtuozzo.com
Thu Feb 9 07:28:04 PST 2017


Please consider to prepare a ReadyKernel patch for it.

--
Best regards,

Konstantin Khorenko,
Virtuozzo Linux Kernel Team

On 02/09/2017 06:26 PM, Konstantin Khorenko wrote:
> The commit is pushed to "branch-rh7-3.10.0-514.6.1.vz7.28.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
> after rh7-3.10.0-514.6.1.vz7.28.5
> ------>
> commit c4830e4a3076841c4544c022d06ad060b322a800
> Author: Cyrill Gorcunov <gorcunov at virtuozzo.com>
> Date:   Thu Feb 9 19:26:44 2017 +0400
>
>     ve/net,netfilter: Adjust REDIRECT target on venet device
>
>     Mostly backported from pcs6 code except I added:
>
>      - CONFIG_VE to be able to find this snippet in future
>      - Use NETIF_F_VENET so non-venet devices won't be affected
>
>     Without this snippet redirection doesn't work. A simple test case:
>
>      - run centos-7 container with some IP assigned and "--netfilter full"
>        option in config
>
>      - add the following rules inside container
>
>        iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
>        iptables -D FORWARD -j REJECT --reject-with icmp-host-prohibited
>        iptables -t nat -A PREROUTING -p tcp -m tcp --dport 8080 -j REDIRECT --to-ports 80
>
>      - go on node and run
>
>        curl -i $IPADDR:80
>        curl -i $IPADDR:8080
>
>     Both should return apache's starting page.
>
>     v2 (by vvs@):
>      - lookup over all addresses bound to venet until first nonloopback
>
>     https://jira.sw.ru/browse/PSBM-59983
>
>     Signed-off-by: Cyrill Gorcunov <gorcunov at virtuozzo.com>


More information about the Devel mailing list