[Devel] [PATCH rh8 01/28] Revert "ve/net: Track netfilter modules per net-namespace"
Konstantin Khorenko
khorenko at virtuozzo.com
Tue Apr 13 11:25:11 MSK 2021
This reverts commit d9e5d43b2aa2876795ff99ccbb3f306c62c79041.
We are getting rid of iptables mask,
all netfilter modules will be always available in Containers.
https://jira.sw.ru/browse/PSBM-127787
Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
---
include/linux/netfilter.h | 32 --------------------------------
include/net/net_namespace.h | 3 ---
net/core/net_namespace.c | 4 ----
3 files changed, 39 deletions(-)
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index 8a0cc7f0b096..e337aba47475 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -13,7 +13,6 @@
#include <linux/static_key.h>
#include <linux/netfilter_defs.h>
#include <linux/netdevice.h>
-#include <linux/ve.h>
#include <net/net_namespace.h>
#ifdef CONFIG_NETFILTER
@@ -443,35 +442,4 @@ extern struct nfnl_ct_hook __rcu *nfnl_ct_hook;
*/
DECLARE_PER_CPU(bool, nf_skb_duplicated);
-#ifdef CONFIG_VE_IPTABLES
-#include <linux/vziptable_defs.h>
-
-#define ve_ipt_permitted(netns, ipt) \
- (mask_ipt_allow(get_exec_env()->ipt_mask, ipt))
-
-#define net_ipt_permitted(netns, ipt) \
- (mask_ipt_allow((netns)->owner_ve->ipt_mask, ipt))
-
-#define net_ipt_module_set(netns, ipt) \
- ({ \
- (netns)->_iptables_modules |= ipt##_MOD; \
- })
-
-#define net_ipt_module_clear(netns, ipt) \
- ({ \
- (netns)->_iptables_modules &= ~ipt##_MOD; \
- })
-
-#define net_is_ipt_module_set(netns, ipt) \
- ((netns)->_iptables_modules & (ipt##_MOD))
-
-#else /* CONFIG_VE_IPTABLES */
-
-#define net_ipt_permitted(netns, ipt) (1)
-#define net_is_ipt_module_set(netns, ipt) (1)
-#define net_ipt_module_set(netns, ipt)
-#define net_ipt_module_clear(netns, ipt)
-
-#endif /* CONFIG_VE_IPTABLES */
-
#endif /*__LINUX_NETFILTER_H*/
diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h
index d35391072922..93838c430818 100644
--- a/include/net/net_namespace.h
+++ b/include/net/net_namespace.h
@@ -102,9 +102,6 @@ struct net {
#ifdef CONFIG_VE
struct ve_struct *owner_ve;
-#ifdef CONFIG_VE_IPTABLES
- __u64 _iptables_modules;
-#endif
#endif
/* core fib_rules */
diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c
index 57c6b982a301..d742c19c9eb4 100644
--- a/net/core/net_namespace.c
+++ b/net/core/net_namespace.c
@@ -24,7 +24,6 @@
#include <net/netns/generic.h>
#include <linux/ve.h>
-#include <uapi/linux/vziptable_defs.h>
/*
* Our network namespace constructor/destructor lists
*/
@@ -44,9 +43,6 @@ struct net init_net = {
.dev_base_head = LIST_HEAD_INIT(init_net.dev_base_head),
#ifdef CONFIG_VE
.owner_ve = &ve0,
-#ifdef CONFIG_VE_IPTABLES
- ._iptables_modules = VE_IP_NONE,
-#endif
#endif
};
EXPORT_SYMBOL(init_net);
--
2.28.0
More information about the Devel
mailing list