[Devel] [PATCH RHEL7 COMMIT] netfilter: always create per-net "filter" tables objects

Konstantin Khorenko khorenko at virtuozzo.com
Fri Jul 21 17:12:22 MSK 2017 

The commit is pushed to "branch-rh7-3.10.0-514.26.1.vz7.33.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-514.26.1.vz7.33.14
------>
commit 0957cd446d265ca9097a62f7293f4590a8dd109b
Author: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
Date:   Fri Jul 21 18:12:22 2017 +0400

    netfilter: always create per-net "filter" tables objects
    
    They are required by CRIU to suspned and restore a container.
    
    https://jira.sw.ru/browse/PSBM-58574
    
    Signed-off-by: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
    Reviewed-by: Andrey Ryabinin <aryabinin at virtuozzo.com>
---
 net/ipv4/netfilter/iptable_filter.c  | 6 ------
 net/ipv6/netfilter/ip6table_filter.c | 6 ------
 2 files changed, 12 deletions(-)

diff --git a/net/ipv4/netfilter/iptable_filter.c b/net/ipv4/netfilter/iptable_filter.c
index ff879a0..3d5b604 100644
--- a/net/ipv4/netfilter/iptable_filter.c
+++ b/net/ipv4/netfilter/iptable_filter.c
@@ -59,9 +59,6 @@ static int __net_init iptable_filter_net_init(struct net *net)
 {
 	struct ipt_replace *repl;
 
-	if (!net_ipt_permitted(net, VE_IP_FILTER))
-		return 0;
-
 	repl = ipt_alloc_initial_table(&packet_filter);
 	if (repl == NULL)
 		return -ENOMEM;
@@ -81,9 +78,6 @@ static int __net_init iptable_filter_net_init(struct net *net)
 
 static void __net_exit iptable_filter_net_exit(struct net *net)
 {
-	if (!net_is_ipt_module_set(net, VE_IP_FILTER))
-		return;
-
 	ipt_unregister_table(net, net->ipv4.iptable_filter);
 	net->ipv4.iptable_filter = NULL;
 
diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c
index 78e88ea..4a6184f 100644
--- a/net/ipv6/netfilter/ip6table_filter.c
+++ b/net/ipv6/netfilter/ip6table_filter.c
@@ -51,9 +51,6 @@ static int __net_init ip6table_filter_net_init(struct net *net)
 {
 	struct ip6t_replace *repl;
 
-	if (!net_ipt_permitted(net, VE_IP_FILTER6))
-		return 0;
-
 	repl = ip6t_alloc_initial_table(&packet_filter);
 	if (repl == NULL)
 		return -ENOMEM;
@@ -73,9 +70,6 @@ static int __net_init ip6table_filter_net_init(struct net *net)
 
 static void __net_exit ip6table_filter_net_exit(struct net *net)
 {
-	if (!net_is_ipt_module_set(net, VE_IP_FILTER6))
-		return;
-
 	ip6t_unregister_table(net, net->ipv6.ip6table_filter);
 	net->ipv6.ip6table_filter = NULL;

More information about the Devel mailing list