[Devel] [PATCH RH7 00/10] vz7: port nft fib feature from vz8

Pavel Tikhomirov ptikhomirov at virtuozzo.com
Thu Feb 4 11:53:46 MSK 2021 

We need "fib" nft feature to be able to restore nft ruleset dump. The
original problem is that Docker creates nft-compat addrtype match rule
which is converted by "nft list ruleset" to a corresponding "fib" rule
and if we don't have "fib" in kernel we fail to restore this ruleset
with nft. This affects CRIU because criu dumps all nft rules via nft
util.

Note: this is only part of solution as nft utility on host (vz7) is a
bit outdated, so it can't understand fib rules anyway, so CRIU needs to
use a modern nft util/library to resolve this.

I take all patches which touch nft fib modules from rh8: initial feature
+ fixes, though some patches which look not fib specific are skipped
from porting as they touch to much other files. Also I add fib modules
to config and to autoload.

https://jira.sw.ru/browse/PSBM-125002
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>

Florian Westphal (2):
  netfilter: nf_tables: add fib expression
  netfilter: don't set F_IFACE on ipv6 fib lookups

Liping Zhang (4):
  netfilter: nft_fib: convert htonl to ntohl properly
  netfilter: nft_fib_ipv4: initialize *dest to zero
  netfilter: rpfilter: bypass ipv4 lbcast packets with zeronet source
  netfilter: rpfilter: fix incorrect loopback packet judgment

Pablo M. Bermudo Garay (1):
  netfilter: nf_tables: fib: use skb_header_pointer

Pavel Tikhomirov (2):
  configs: enable modules for nft fib rules
  ve/kmod: make fib modules autoloadable from CT

Phil Sutter (1):
  netfilter: nft_fib: Support existence check

 configs/kernel-3.10.0-x86_64-debug.config |   4 +
 configs/kernel-3.10.0-x86_64.config       |   4 +
 include/net/netfilter/nft_fib.h           |  37 +++
 include/uapi/linux/netfilter/nf_tables.h  |  37 +++
 kernel/kmod.c                             |   5 +
 net/ipv4/netfilter/Kconfig                |   8 +
 net/ipv4/netfilter/Makefile               |   1 +
 net/ipv4/netfilter/ipt_rpfilter.c         |   8 +-
 net/ipv4/netfilter/nft_fib_ipv4.c         | 248 +++++++++++++++++++
 net/ipv6/netfilter/Kconfig                |   8 +
 net/ipv6/netfilter/Makefile               |   1 +
 net/ipv6/netfilter/ip6t_rpfilter.c        |  12 +-
 net/ipv6/netfilter/nft_fib_ipv6.c         | 279 ++++++++++++++++++++++
 net/netfilter/Kconfig                     |  13 +
 net/netfilter/Makefile                    |   2 +
 net/netfilter/nft_fib.c                   | 163 +++++++++++++
 net/netfilter/nft_fib_inet.c              |  82 +++++++
 17 files changed, 900 insertions(+), 12 deletions(-)
 create mode 100644 include/net/netfilter/nft_fib.h
 create mode 100644 net/ipv4/netfilter/nft_fib_ipv4.c
 create mode 100644 net/ipv6/netfilter/nft_fib_ipv6.c
 create mode 100644 net/netfilter/nft_fib.c
 create mode 100644 net/netfilter/nft_fib_inet.c

-- 
2.26.2

More information about the Devel mailing list