[Devel] [PATCH RHEL7 COMMIT] netfilter: always create netfilter per-net objects for ipv4/ipv6

Konstantin Khorenko khorenko at virtuozzo.com
Fri Jul 21 17:12:22 MSK 2017


The commit is pushed to "branch-rh7-3.10.0-514.26.1.vz7.33.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-514.26.1.vz7.33.14
------>
commit 7be156434c026add55324eb9e897270d4df4800f
Author: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
Date:   Fri Jul 21 18:12:22 2017 +0400

    netfilter: always create netfilter per-net objects for ipv4/ipv6
    
    Their dentries won't be visible due to absence of S_ISVTX bit (if nefilter
    is disabled). Also they won't be accessible due to checks in
    ip_{get,set}sockopt. But all this applies to our CTs only.
    
    CRIU will have access to all this stuff by joining network namespace, thus
    being able to suspend and restore such containers with netfilter disabled.
    
    https://jira.sw.ru/browse/PSBM-68767
    
    Signed-off-by: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
    Reviewed-by: Andrey Ryabinin <aryabinin at virtuozzo.com>
---
 net/ipv4/netfilter/ip_tables.c  | 5 -----
 net/ipv6/netfilter/ip6_tables.c | 6 ------
 2 files changed, 11 deletions(-)

diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 3ad1c67..fe40773 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -2081,8 +2081,6 @@ static int __net_init ip_tables_net_init(struct net *net)
 {
 	int res;
 
-	if (!net_ipt_permitted(net, VE_IP_IPTABLES))
-		return 0;
 	res = xt_proto_init(net, NFPROTO_IPV4);
 	if (!res)
 		net_ipt_module_set(net, VE_IP_IPTABLES);
@@ -2091,9 +2089,6 @@ static int __net_init ip_tables_net_init(struct net *net)
 
 static void __net_exit ip_tables_net_exit(struct net *net)
 {
-	if (!net_is_ipt_module_set(net, VE_IP_IPTABLES))
-		return;
-
 	xt_proto_fini(net, NFPROTO_IPV4);
 
 	net_ipt_module_clear(net, VE_IP_IPTABLES);
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 9d431c7..e08311a 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -2078,9 +2078,6 @@ static int __net_init ip6_tables_net_init(struct net *net)
 {
 	int res;
 
-	if (!net_ipt_permitted(net, VE_IP_IPTABLES6))
-		return 0;
-
 	res = xt_proto_init(net, NFPROTO_IPV6);
 	if (!res)
 		net_ipt_module_set(net, VE_IP_IPTABLES6);
@@ -2089,9 +2086,6 @@ static int __net_init ip6_tables_net_init(struct net *net)
 
 static void __net_exit ip6_tables_net_exit(struct net *net)
 {
-	if (!net_is_ipt_module_set(net, VE_IP_IPTABLES6))
-		return;
-
 	xt_proto_fini(net, NFPROTO_IPV6);
 
 	net_ipt_module_clear(net, VE_IP_IPTABLES6);


More information about the Devel mailing list