[Devel] [PATCH rh8 02/28] Revert "ve: Add support of iptables mask"

Konstantin Khorenko khorenko at virtuozzo.com
Tue Apr 13 11:25:12 MSK 2021 

This reverts commit 1c4d002f2302eaad2ce55d07cec8d7bb0537441d.

We are dropping VE iptables masks, all iptables/netfilter modules
will be always available inside Containers.

https://jira.sw.ru/browse/PSBM-127787

Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
---
 include/linux/ve.h                  |  4 --
 include/linux/vziptable_defs.h      | 22 --------
 include/uapi/linux/vziptable_defs.h | 80 -----------------------------
 kernel/Kconfig.openvz               |  8 ---
 kernel/ve/ve.c                      | 66 ------------------------
 5 files changed, 180 deletions(-)
 delete mode 100644 include/linux/vziptable_defs.h
 delete mode 100644 include/uapi/linux/vziptable_defs.h

diff --git a/include/linux/ve.h b/include/linux/ve.h
index 3b487f8a4a50..9a8d02abd328 100644
--- a/include/linux/ve.h
+++ b/include/linux/ve.h
@@ -60,10 +60,6 @@ struct ve_struct {
 #define VE_LOG_BUF_LEN		4096
 
 	int			_randomize_va_space;
-
-#ifdef CONFIG_VE_IPTABLES
-	__u64			ipt_mask;
-#endif
 	int			odirect_enable;
 
 	u64			_uevent_seqnum;
diff --git a/include/linux/vziptable_defs.h b/include/linux/vziptable_defs.h
deleted file mode 100644
index 9d74b733a043..000000000000
--- a/include/linux/vziptable_defs.h
+++ /dev/null
@@ -1,22 +0,0 @@
-/*
- *  include/linux/vziptable_defs.h
- *
- *  Copyright (c) 2000-2017 Virtuozzo International GmbH.
- *  All rights reserved.
- *
- */
-
-#ifndef _LINUX_VZIPTABLE_DEFS_H
-#define _LINUX_VZIPTABLE_DEFS_H
-
-#include <linux/types.h>
-#include <linux/sched.h>
-
-#include <uapi/linux/vziptable_defs.h>
-
-static inline bool mask_ipt_allow(__u64 permitted, __u64 mask)
-{
-	return (permitted & mask) == mask;
-}
-
-#endif /* _LINUX_VZIPTABLE_DEFS_H */
diff --git a/include/uapi/linux/vziptable_defs.h b/include/uapi/linux/vziptable_defs.h
deleted file mode 100644
index d02c6ce3e90f..000000000000
--- a/include/uapi/linux/vziptable_defs.h
+++ /dev/null
@@ -1,80 +0,0 @@
-/*
- *  include/linux/vziptable_defs.h
- *
- *  Copyright (c) 2000-2017 Virtuozzo International GmbH.
- *  All rights reserved.
- *
- */
-
-#ifndef _UAPI_LINUX_VZIPTABLE_DEFS_H
-#define _UAPI_LINUX_VZIPTABLE_DEFS_H
-
-/*
- * This masks represent modules
- *
- * Strictly speaking we use only a small subset
- * of this bits novadays but we MUST RESERVE all
- * the bits were ever used in a sake of ABI compatibility
- * (ie compatibility with vzctl user-space utility)
- *
- * DON'T EVER DELETE/MODIFY THIS BITS
- */
-#define VE_IPT_GENERATE(name, shift)	name = (1U << shift)
-
-enum ve_ipt_mods {
-	VE_IPT_GENERATE(VE_IP_IPTABLES_MOD,		 0),
-	VE_IPT_GENERATE(VE_IP_FILTER_MOD,		 1),
-	VE_IPT_GENERATE(VE_IP_MANGLE_MOD,		 2),
-	VE_IPT_GENERATE(VE_IP_MATCH_LIMIT_MOD,		 3),
-	VE_IPT_GENERATE(VE_IP_MATCH_MULTIPORT_MOD,	 4),
-	VE_IPT_GENERATE(VE_IP_MATCH_TOS_MOD,		 5),
-	VE_IPT_GENERATE(VE_IP_TARGET_TOS_MOD,		 6),
-	VE_IPT_GENERATE(VE_IP_TARGET_REJECT_MOD,	 7),
-	VE_IPT_GENERATE(VE_IP_TARGET_TCPMSS_MOD,	 8),
-	VE_IPT_GENERATE(VE_IP_MATCH_TCPMSS_MOD,		 9),
-	VE_IPT_GENERATE(VE_IP_MATCH_TTL_MOD,		10),
-	VE_IPT_GENERATE(VE_IP_TARGET_LOG_MOD,		11),
-	VE_IPT_GENERATE(VE_IP_MATCH_LENGTH_MOD,		12),
-	VE_IPT_GENERATE(VE_IP_CONNTRACK_MOD,		14),
-	VE_IPT_GENERATE(VE_IP_CONNTRACK_FTP_MOD,	15),
-	VE_IPT_GENERATE(VE_IP_CONNTRACK_IRC_MOD,	16),
-	VE_IPT_GENERATE(VE_IP_MATCH_CONNTRACK_MOD,	17),
-	VE_IPT_GENERATE(VE_IP_MATCH_STATE_MOD,		18),
-	VE_IPT_GENERATE(VE_IP_MATCH_HELPER_MOD,		19),
-	VE_IPT_GENERATE(VE_IP_NAT_MOD,			20),
-	VE_IPT_GENERATE(VE_IP_NAT_FTP_MOD,		21),
-	VE_IPT_GENERATE(VE_IP_NAT_IRC_MOD,		22),
-	VE_IPT_GENERATE(VE_IP_TARGET_REDIRECT_MOD,	23),
-	VE_IPT_GENERATE(VE_IP_MATCH_OWNER_MOD,		24),
-	VE_IPT_GENERATE(VE_IP_MATCH_MAC_MOD,		25),
-	VE_IPT_GENERATE(VE_IP_IPTABLES6_MOD,		26),
-	VE_IPT_GENERATE(VE_IP_FILTER6_MOD,		27),
-	VE_IPT_GENERATE(VE_IP_MANGLE6_MOD,		28),
-	VE_IPT_GENERATE(VE_IP_IPTABLE_NAT_MOD,		29),
-	VE_IPT_GENERATE(VE_NF_CONNTRACK_MOD,		30),
-};
-
-/* these masks represent modules with their dependences */
-#define VE_IP_IPTABLES		(VE_IP_IPTABLES_MOD)
-#define VE_IP_FILTER		(VE_IP_FILTER_MOD | VE_IP_IPTABLES)
-#define VE_IP_MANGLE		(VE_IP_MANGLE_MOD | VE_IP_IPTABLES)
-#define VE_IP_IPTABLES6		(VE_IP_IPTABLES6_MOD)
-#define VE_IP_FILTER6		(VE_IP_FILTER6_MOD | VE_IP_IPTABLES6)
-#define VE_IP_MANGLE6		(VE_IP_MANGLE6_MOD | VE_IP_IPTABLES6)
-#define VE_NF_CONNTRACK		(VE_NF_CONNTRACK_MOD | VE_IP_IPTABLES)
-#define VE_IP_CONNTRACK		(VE_IP_CONNTRACK_MOD | VE_IP_IPTABLES)
-#define VE_IP_CONNTRACK_FTP	(VE_IP_CONNTRACK_FTP_MOD | VE_IP_CONNTRACK)
-#define VE_IP_CONNTRACK_IRC	(VE_IP_CONNTRACK_IRC_MOD | VE_IP_CONNTRACK)
-#define VE_IP_NAT		(VE_IP_NAT_MOD | VE_IP_CONNTRACK)
-#define VE_IP_NAT_FTP		(VE_IP_NAT_FTP_MOD | VE_IP_NAT | VE_IP_CONNTRACK_FTP)
-#define VE_IP_NAT_IRC		(VE_IP_NAT_IRC_MOD | VE_IP_NAT | VE_IP_CONNTRACK_IRC)
-#define VE_IP_IPTABLE_NAT	(VE_IP_IPTABLE_NAT_MOD | VE_IP_CONNTRACK)
-
-/* safe iptables mask to be used by default */
-#define VE_IP_DEFAULT		(VE_IP_IPTABLES | VE_IP_FILTER | VE_IP_MANGLE | \
-				 VE_IP_IPTABLES6 | VE_IP_FILTER6 | VE_IP_MANGLE6)
-
-#define VE_IP_NONE		(0ull)
-#define VE_IP_ALL		(~VE_IP_NONE)
-
-#endif /* _UAPI_LINUX_VZIPTABLE_DEFS_H */
diff --git a/kernel/Kconfig.openvz b/kernel/Kconfig.openvz
index 41f0bc78c631..116f7601c435 100644
--- a/kernel/Kconfig.openvz
+++ b/kernel/Kconfig.openvz
@@ -57,16 +57,8 @@ config VZ_EVENT
 	  networking code does. By now just the notifications of
 	  the VE essensial status changes are being sent.
 
-config VE_IPTABLES
-	bool "VE netfiltering"
-	depends on VE && VE_NETDEV && INET && NETFILTER
-	default y
-	help
-	  This option controls whether to build VE netfiltering code.
-
 config FENCE_WATCHDOG
 	bool "Fencing watchdog for HA cluster support"
 	depends on X86_64
 	default n
-
 endmenu
diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c
index 031b104075c8..7d0999e7e234 100644
--- a/kernel/ve/ve.c
+++ b/kernel/ve/ve.c
@@ -25,7 +25,6 @@
 #include <linux/kthread.h>
 #include <linux/nsproxy.h>
 #include <linux/fs_struct.h>
-#include <linux/vziptable_defs.h>
 #include <uapi/linux/vzcalluser.h>
 
 #include "../cgroup/cgroup-internal.h" /* For cgroup_task_count() */
@@ -67,9 +66,6 @@ struct ve_struct ve0 = {
 					1,
 #else
 					2,
-#endif
-#ifdef CONFIG_VE_IPTABLES
-	.ipt_mask		= VE_IP_ALL,    /* everything is allowed */
 #endif
 	.netns_avail_nr		= ATOMIC_INIT(INT_MAX),
 	.netns_max_nr		= INT_MAX,
@@ -763,31 +759,6 @@ void ve_exit_ns(struct pid_namespace *pid_ns)
 	up_write(&ve->op_sem);
 }
 
-#ifdef CONFIG_VE_IPTABLES
-static __u64 ve_setup_iptables_mask(__u64 init_mask)
-{
-	/* Remove when userspace will start supplying IPv6-related bits. */
-	init_mask &= ~VE_IP_IPTABLES6;
-	init_mask &= ~VE_IP_FILTER6;
-	init_mask &= ~VE_IP_MANGLE6;
-	init_mask &= ~VE_IP_IPTABLE_NAT_MOD;
-	init_mask &= ~VE_NF_CONNTRACK_MOD;
-
-	if (mask_ipt_allow(init_mask, VE_IP_IPTABLES))
-		init_mask |= VE_IP_IPTABLES6;
-	if (mask_ipt_allow(init_mask, VE_IP_FILTER))
-		init_mask |= VE_IP_FILTER6;
-	if (mask_ipt_allow(init_mask, VE_IP_MANGLE))
-		init_mask |= VE_IP_MANGLE6;
-	if (mask_ipt_allow(init_mask, VE_IP_NAT))
-		init_mask |= VE_IP_IPTABLE_NAT;
-	if (mask_ipt_allow(init_mask, VE_IP_CONNTRACK))
-		init_mask |= VE_NF_CONNTRACK;
-
-	return init_mask;
-}
-#endif
-
 static int copy_vdso(struct vdso_image **vdso_dst, const struct vdso_image *vdso_src)
 {
 	struct vdso_image *vdso;
@@ -867,10 +838,6 @@ static struct cgroup_subsys_state *ve_create(struct cgroup_subsys_state *parent_
 
 	ve->odirect_enable = 2;
 
-#ifdef CONFIG_VE_IPTABLES
-	ve->ipt_mask = ve_setup_iptables_mask(VE_IP_DEFAULT);
-#endif
-
 	atomic_set(&ve->netns_avail_nr, NETNS_MAX_NR_DEFAULT);
 	ve->netns_max_nr = NETNS_MAX_NR_DEFAULT;
 	ve->meminfo_val = VE_MEMINFO_DEFAULT;
@@ -1193,31 +1160,6 @@ static int ve_features_write(struct cgroup_subsys_state *css, struct cftype *cft
 	return 0;
 }
 
-#ifdef CONFIG_VE_IPTABLES
-static u64 ve_iptables_mask_read(struct cgroup_subsys_state *css, struct cftype *cft)
-{
-	return css_to_ve(css)->ipt_mask;
-}
-
-static int ve_iptables_mask_write(struct cgroup_subsys_state *css, struct cftype *cft, u64 val)
-{
-	struct ve_struct *ve = css_to_ve(css);
-
-	if (!ve_is_super(get_exec_env()) &&
-	    !ve->is_pseudosuper)
-		return -EPERM;
-
-	down_write(&ve->op_sem);
-	if (ve->is_running || ve->ve_ns) {
-		up_write(&ve->op_sem);
-		return -EBUSY;
-	}
-	ve->ipt_mask = ve_setup_iptables_mask(val);
-	up_write(&ve->op_sem);
-	return 0;
-}
-#endif
-
 static int ve_os_release_read(struct seq_file *sf, void *v)
 {
 	struct cgroup_subsys_state *css = seq_css(sf);
@@ -1541,13 +1483,6 @@ static struct cftype ve_cftypes[] = {
 		.seq_show		= ve_os_release_read,
 		.write			= ve_os_release_write,
 	},
-#ifdef CONFIG_VE_IPTABLES
-	{
-		.name			= "iptables_mask",
-		.flags			= CFTYPE_NOT_ON_ROOT,
-		.read_u64		= ve_iptables_mask_read,
-		.write_u64		= ve_iptables_mask_write,
-	},
 	{
 		.name			= "clock_monotonic",
 		.flags			= CFTYPE_NOT_ON_ROOT,
@@ -1562,7 +1497,6 @@ static struct cftype ve_cftypes[] = {
 		.write			= ve_ts_write,
 		.private		= VE_CF_CLOCK_BOOTBASED,
 	},
-#endif
 	{
 		.name			= "netns_max_nr",
 		.flags			= CFTYPE_NOT_ON_ROOT,
-- 
2.28.0

More information about the Devel mailing list