[Devel] [PATCH RHEL7 COMMIT] netfilter: ve_ipt_permitted() helper introduced

Konstantin Khorenko khorenko at virtuozzo.com
Fri Jul 21 17:12:20 MSK 2017 

The commit is pushed to "branch-rh7-3.10.0-514.26.1.vz7.33.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-514.26.1.vz7.33.14
------>
commit fcc1454dec69b4edff623688562de20ba13e6910
Author: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
Date:   Fri Jul 21 18:12:20 2017 +0400

    netfilter: ve_ipt_permitted() helper introduced
    
    Patchset description:
    
    This series is aimed to give CRCIU an ability to suspend and restore
    VZ containers with disabled netfilter.
    The problem is that with CT doesn't have any netfilter objects, when netfilter
    is disabled, while CRIU needs iptables to suspend and restore container
    network reliably.
    This series does the following:
    1) Make netfilter tables objects always created
    2) Hides corresponding proc entries in CT, if netfilter is disabled
    3) Doesn't allow to access netfilter via sys_{get_set}sockopts in CT is
    netfilter is disabled.
    
    With this series applid, CRIU is able to suspend container, because it joins
    containers network namespace remaining in VE#0, thus all the netfilter stuff
    is always accessible.
    
    https://jira.sw.ru/browse/PSBM-58574
    
    Stanislav Kinsburskiy (5):
          netfilter: ve_ipt_permitted() helper introduced
          netfilter: control iptables detries visibility in CT by S_ISVTX
          netfilter: check per-ve netfilter status on actual operation
          netfilter: always create per-net "filter" tables objects
          netfilter: always create netfilter per-net objects for ipv4/ipv6
    
    ==================================
    This patch description:
    
    Will be used for iptables availability initialization
    
    Signed-off-by: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
    Reviewed-by: Andrey Ryabinin <aryabinin at virtuozzo.com>
---
 include/linux/netfilter.h | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index 98e53c8..f395cc3 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -410,6 +410,9 @@ DECLARE_PER_CPU(bool, nf_skb_duplicated);
 #ifdef CONFIG_VE_IPTABLES
 #include <linux/vziptable_defs.h>
 
+#define ve_ipt_permitted(netns, ipt)					\
+	(mask_ipt_allow(get_exec_env()->ipt_mask, ipt))
+
 #define net_ipt_permitted(netns, ipt)					\
 	(mask_ipt_allow((netns)->owner_ve->ipt_mask, ipt))

More information about the Devel mailing list