[Devel] [PATCH 5/5] netfilter: always create netfilter per-net objects for ipv4/ipv6

Stanislav Kinsburskiy skinsbursky at virtuozzo.com
Fri Jul 21 10:23:33 MSK 2017 

Their dentries won't be visible due to absence of S_ISVTX bit (if nefilter
is disabled). Also they won't be accessible due to checks in
ip_{get,set}sockopt. But all this applies to our CTs only.

CRIU will have access to all this stuff by joining network namespace, thus
being able to suspend and restore such containers with netfilter disabled.

https://jira.sw.ru/browse/PSBM-68767

Signed-off-by: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
---
 net/ipv4/netfilter/ip_tables.c  |    5 -----
 net/ipv6/netfilter/ip6_tables.c |    6 ------
 2 files changed, 11 deletions(-)

diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 3ad1c67..fe40773 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -2081,8 +2081,6 @@ static int __net_init ip_tables_net_init(struct net *net)
 {
 	int res;
 
-	if (!net_ipt_permitted(net, VE_IP_IPTABLES))
-		return 0;
 	res = xt_proto_init(net, NFPROTO_IPV4);
 	if (!res)
 		net_ipt_module_set(net, VE_IP_IPTABLES);
@@ -2091,9 +2089,6 @@ static int __net_init ip_tables_net_init(struct net *net)
 
 static void __net_exit ip_tables_net_exit(struct net *net)
 {
-	if (!net_is_ipt_module_set(net, VE_IP_IPTABLES))
-		return;
-
 	xt_proto_fini(net, NFPROTO_IPV4);
 
 	net_ipt_module_clear(net, VE_IP_IPTABLES);
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 9d431c7..e08311a 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -2078,9 +2078,6 @@ static int __net_init ip6_tables_net_init(struct net *net)
 {
 	int res;
 
-	if (!net_ipt_permitted(net, VE_IP_IPTABLES6))
-		return 0;
-
 	res = xt_proto_init(net, NFPROTO_IPV6);
 	if (!res)
 		net_ipt_module_set(net, VE_IP_IPTABLES6);
@@ -2089,9 +2086,6 @@ static int __net_init ip6_tables_net_init(struct net *net)
 
 static void __net_exit ip6_tables_net_exit(struct net *net)
 {
-	if (!net_is_ipt_module_set(net, VE_IP_IPTABLES6))
-		return;
-
 	xt_proto_fini(net, NFPROTO_IPV6);
 
 	net_ipt_module_clear(net, VE_IP_IPTABLES6);

More information about the Devel mailing list