[Devel] [PATCH RHEL7 COMMIT] ve/netfilter: rectify nflog inside CT

Fri Jan 20 07:49:46 PST 2017

The commit is pushed to "branch-rh7-3.10.0-514.6.1.vz7.28.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-514.6.1.vz7.28.2
------>
commit 647c6ffa6f1983f4f934ba7097788d3022dfa203
Author: Dmitry Safonov <dsafonov at virtuozzo.com>
Date:   Fri Jan 20 19:49:46 2017 +0400

    ve/netfilter: rectify nflog inside CT
    
    Print iptables LOG for ipv6/ipv4 packages into log buffer for VE.
    
    https://jira.sw.ru/browse/PSBM-54183
    
    Signed-off-by: Dmitry Safonov <dsafonov at virtuozzo.com>
    Reviewed-by: Kirill Tkhai <ktkhai at virtuozzo.com>
---
 include/net/netfilter/nf_log.h   | 2 +-
 net/ipv4/netfilter/nf_log_ipv4.c | 6 +-----
 net/ipv6/netfilter/nf_log_ipv6.c | 6 +-----
 net/netfilter/nf_log.c           | 4 ++--
 4 files changed, 5 insertions(+), 13 deletions(-)

diff --git a/include/net/netfilter/nf_log.h b/include/net/netfilter/nf_log.h
index 57639fc..af23057 100644
--- a/include/net/netfilter/nf_log.h
+++ b/include/net/netfilter/nf_log.h
@@ -93,7 +93,7 @@ struct nf_log_buf;
 
 struct nf_log_buf *nf_log_buf_open(void);
 __printf(2, 3) int nf_log_buf_add(struct nf_log_buf *m, const char *f, ...);
-void nf_log_buf_close(struct nf_log_buf *m);
+void nf_log_buf_close(struct nf_log_buf *m, struct ve_struct *ve);
 
 /* common logging functions */
 int nf_log_dump_udp_header(struct nf_log_buf *m, const struct sk_buff *skb,
diff --git a/net/ipv4/netfilter/nf_log_ipv4.c b/net/ipv4/netfilter/nf_log_ipv4.c
index 7510198..92cdbfa 100644
--- a/net/ipv4/netfilter/nf_log_ipv4.c
+++ b/net/ipv4/netfilter/nf_log_ipv4.c
@@ -316,10 +316,6 @@ static void nf_log_ip_packet(struct net *net, u_int8_t pf,
 {
 	struct nf_log_buf *m;
 
-	/* FIXME: Disabled from containers until syslog ns is supported */
-	if (!net_eq(net, &init_net))
-		return;
-
 	m = nf_log_buf_open();
 
 	if (!loginfo)
@@ -333,7 +329,7 @@ static void nf_log_ip_packet(struct net *net, u_int8_t pf,
 
 	dump_ipv4_packet(m, loginfo, skb, 0);
 
-	nf_log_buf_close(m);
+	nf_log_buf_close(m, net->owner_ve);
 }
 
 static struct nf_logger nf_ip_logger __read_mostly = {
diff --git a/net/ipv6/netfilter/nf_log_ipv6.c b/net/ipv6/netfilter/nf_log_ipv6.c
index 7fc34d1..fc79ffe 100644
--- a/net/ipv6/netfilter/nf_log_ipv6.c
+++ b/net/ipv6/netfilter/nf_log_ipv6.c
@@ -348,10 +348,6 @@ static void nf_log_ip6_packet(struct net *net, u_int8_t pf,
 {
 	struct nf_log_buf *m;
 
-	/* FIXME: Disabled from containers until syslog ns is supported */
-	if (!net_eq(net, &init_net))
-		return;
-
 	m = nf_log_buf_open();
 
 	if (!loginfo)
@@ -365,7 +361,7 @@ static void nf_log_ip6_packet(struct net *net, u_int8_t pf,
 
 	dump_ipv6_packet(m, loginfo, skb, skb_network_offset(skb), 1);
 
-	nf_log_buf_close(m);
+	nf_log_buf_close(m, net->owner_ve);
 }
 
 static struct nf_logger nf_ip6_logger __read_mostly = {
diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c
index cb25f6a..56aa756 100644
--- a/net/netfilter/nf_log.c
+++ b/net/netfilter/nf_log.c
@@ -285,10 +285,10 @@ struct nf_log_buf *nf_log_buf_open(void)
 }
 EXPORT_SYMBOL_GPL(nf_log_buf_open);
 
-void nf_log_buf_close(struct nf_log_buf *m)
+void nf_log_buf_close(struct nf_log_buf *m, struct ve_struct *ve)
 {
 	m->buf[m->count] = 0;
-	printk("%s\n", m->buf);
+	ve_log_printk(ve, "%s\n", m->buf);
 
 	if (likely(m != &emergency))
 		kfree(m);
