[Devel] [PATCH RHEL7 COMMIT] ve/net, netfilter: Adjust REDIRECT target on venet device
Konstantin Khorenko
khorenko at virtuozzo.com
Thu Feb 9 07:28:04 PST 2017
Please consider to prepare a ReadyKernel patch for it.
--
Best regards,
Konstantin Khorenko,
Virtuozzo Linux Kernel Team
On 02/09/2017 06:26 PM, Konstantin Khorenko wrote:
> The commit is pushed to "branch-rh7-3.10.0-514.6.1.vz7.28.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
> after rh7-3.10.0-514.6.1.vz7.28.5
> ------>
> commit c4830e4a3076841c4544c022d06ad060b322a800
> Author: Cyrill Gorcunov <gorcunov at virtuozzo.com>
> Date: Thu Feb 9 19:26:44 2017 +0400
>
> ve/net,netfilter: Adjust REDIRECT target on venet device
>
> Mostly backported from pcs6 code except I added:
>
> - CONFIG_VE to be able to find this snippet in future
> - Use NETIF_F_VENET so non-venet devices won't be affected
>
> Without this snippet redirection doesn't work. A simple test case:
>
> - run centos-7 container with some IP assigned and "--netfilter full"
> option in config
>
> - add the following rules inside container
>
> iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
> iptables -D FORWARD -j REJECT --reject-with icmp-host-prohibited
> iptables -t nat -A PREROUTING -p tcp -m tcp --dport 8080 -j REDIRECT --to-ports 80
>
> - go on node and run
>
> curl -i $IPADDR:80
> curl -i $IPADDR:8080
>
> Both should return apache's starting page.
>
> v2 (by vvs@):
> - lookup over all addresses bound to venet until first nonloopback
>
> https://jira.sw.ru/browse/PSBM-59983
>
> Signed-off-by: Cyrill Gorcunov <gorcunov at virtuozzo.com>
More information about the Devel
mailing list