[Devel] [PATCH RHEL8 COMMIT] ve/netfilter: Send iptables/netfilter kernel error messages to Containers
Konstantin Khorenko
khorenko at virtuozzo.com
Mon May 24 16:18:33 MSK 2021
The commit is pushed to "branch-rh8-4.18.0-240.1.1.vz8.5.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh8-4.18.0-240.1.1.vz8.5.32
------>
commit 57ac570c2fba62b0df043695184196e5fd47ef8c
Author: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
Date: Tue May 18 20:54:15 2021 +0300
ve/netfilter: Send iptables/netfilter kernel error messages to Containers
Rebasing and splitting netfilters sybsystem
(port 66-diff-ve-net-netfilter-combined).
Part 1.
https://jira.sw.ru/browse/PSBM-18322
Signed-off-by: Kirill Tkhai <ktkhai at parallels.com>
khorenko@: rebase to kernel-3.10.0-229.7.2.el7:
* hunk for include/net/netfilter/xt_log.h has been dropped
cause the file absents now
* couple of CAP_NET_ADMIN -> CAP_NET_ADMIN + CAP_VE_NET_ADMIN
replacements have been dropped because Initial patch
already have proper version
+++
ve/net/printk: net_veboth_ratelimited introduced
net_veboth_ratelimited is required to save net-ratelimited messages
both into host and into containers dmesg buffers
Signed-off-by: Vasily Averin <vvs at openvz.org>
Acked-by: Kirill Tkhai <ktkhai at odin.com>
==============================================
net: remove CAP_VE_NET_ADMIN from "ve/netfilter: Basic ve transformations"
https://jira.sw.ru/browse/PSBM-39077
Signed-off-by: Andrew Vagin <avagin at virtuozzo.com>
Reviewed-by: Vladimir Davydov <vdavydov at virtuozzo.com>
(cherry picked from vz7 commit 522bec3451a3 ("ve/netfilter: Basic ve
transformations")
VZ 8 rebase part https://jira.sw.ru/browse/PSBM-127783
Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalitsyn at virtuozzo.com>
khorenko@:
1. As we've dropped iptables mask in vz8, it's not possible that some
xt_table is absent in a Container => dropped ve_xt_table_forbidden()
and its users.
2. As a result the patch degrades into just redirects of error messages
to VE log + some compat tweak in compat_do_ipt_set_ctl().
---
net/ipv4/netfilter/ip_tables.c | 12 +++++--
net/ipv4/netfilter/ipt_REJECT.c | 4 +--
net/netfilter/x_tables.c | 70 +++++++++++++++++++++--------------------
net/netfilter/xt_TCPMSS.c | 12 ++++---
net/netfilter/xt_limit.c | 4 +--
5 files changed, 56 insertions(+), 46 deletions(-)
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index e3bc52578af3..35761394b634 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -391,9 +391,12 @@ mark_source_chains(const struct xt_table_info *newinfo,
= (void *)ipt_get_target_c(e);
int visited = e->comefrom & (1 << hook);
- if (e->comefrom & (1 << NF_INET_NUMHOOKS))
+ if (e->comefrom & (1 << NF_INET_NUMHOOKS)) {
+ ve_printk(VE_LOG, "iptables: loop hook %u pos "
+ "%u %08X.\n",
+ hook, pos, e->comefrom);
return 0;
-
+ }
e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS));
/* Unconditional return/END. */
@@ -1537,6 +1540,9 @@ compat_do_replace(struct net *net, void __user *user, unsigned int len)
return ret;
}
+static int
+do_ipt_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len);
+
static int
compat_do_ipt_set_ctl(struct sock *sk, int cmd, void __user *user,
unsigned int len)
@@ -1556,7 +1562,7 @@ compat_do_ipt_set_ctl(struct sock *sk, int cmd, void __user *user,
break;
default:
- ret = -EINVAL;
+ ret = do_ipt_set_ctl(sk, cmd, user, len);
}
return ret;
diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c
index e8bed3390e58..36c9a96d994e 100644
--- a/net/ipv4/netfilter/ipt_REJECT.c
+++ b/net/ipv4/netfilter/ipt_REJECT.c
@@ -74,13 +74,13 @@ static int reject_tg_check(const struct xt_tgchk_param *par)
const struct ipt_entry *e = par->entryinfo;
if (rejinfo->with == IPT_ICMP_ECHOREPLY) {
- pr_info_ratelimited("ECHOREPLY no longer supported.\n");
+ ve_printk_ratelimited(VE_LOG, "ECHOREPLY no longer supported.\n");
return -EINVAL;
} else if (rejinfo->with == IPT_TCP_RESET) {
/* Must specify that it's a TCP packet */
if (e->ip.proto != IPPROTO_TCP ||
(e->ip.invflags & XT_INV_PROTO)) {
- pr_info_ratelimited("TCP_RESET invalid for non-tcp\n");
+ ve_printk_ratelimited(VE_LOG, "TCP_RESET invalid for non-tcp\n");
return -EINVAL;
}
}
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index c5014610d3b9..596cdd2cc77b 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -473,35 +473,36 @@ int xt_check_match(struct xt_mtchk_param *par,
* ebt_among is exempt from centralized matchsize checking
* because it uses a dynamic-size data set.
*/
- pr_err_ratelimited("%s_tables: %s.%u match: invalid size %u (kernel) != (user) %u\n",
- xt_prefix[par->family], par->match->name,
- par->match->revision,
- XT_ALIGN(par->match->matchsize), size);
+ ve_printk_ratelimited(VE_LOG, "%s_tables: %s.%u match: invalid size "
+ "%u (kernel) != (user) %u\n",
+ xt_prefix[par->family], par->match->name,
+ par->match->revision,
+ XT_ALIGN(par->match->matchsize), size);
return -EINVAL;
}
if (par->match->table != NULL &&
strcmp(par->match->table, par->table) != 0) {
- pr_info_ratelimited("%s_tables: %s match: only valid in %s table, not %s\n",
- xt_prefix[par->family], par->match->name,
- par->match->table, par->table);
+ ve_printk_ratelimited(VE_LOG, "%s_tables: %s match: only valid in %s table, not %s\n",
+ xt_prefix[par->family], par->match->name,
+ par->match->table, par->table);
return -EINVAL;
}
if (par->match->hooks && (par->hook_mask & ~par->match->hooks) != 0) {
char used[64], allow[64];
- pr_info_ratelimited("%s_tables: %s match: used from hooks %s, but only valid from %s\n",
- xt_prefix[par->family], par->match->name,
- textify_hooks(used, sizeof(used),
- par->hook_mask, par->family),
- textify_hooks(allow, sizeof(allow),
- par->match->hooks,
- par->family));
+ ve_printk_ratelimited(VE_LOG, "%s_tables: %s match: used from hooks %s, but only "
+ "valid from %s\n",
+ xt_prefix[par->family], par->match->name,
+ textify_hooks(used, sizeof(used), par->hook_mask,
+ par->family),
+ textify_hooks(allow, sizeof(allow), par->match->hooks,
+ par->family));
return -EINVAL;
}
if (par->match->proto && (par->match->proto != proto || inv_proto)) {
- pr_info_ratelimited("%s_tables: %s match: only valid for protocol %u\n",
- xt_prefix[par->family], par->match->name,
- par->match->proto);
+ ve_printk_ratelimited(VE_LOG, "%s_tables: %s match: only valid for protocol %u\n",
+ xt_prefix[par->family], par->match->name,
+ par->match->proto);
return -EINVAL;
}
if (par->match->checkentry != NULL) {
@@ -991,35 +992,36 @@ int xt_check_target(struct xt_tgchk_param *par,
int ret;
if (XT_ALIGN(par->target->targetsize) != size) {
- pr_err_ratelimited("%s_tables: %s.%u target: invalid size %u (kernel) != (user) %u\n",
- xt_prefix[par->family], par->target->name,
- par->target->revision,
- XT_ALIGN(par->target->targetsize), size);
+ ve_printk_ratelimited(VE_LOG, "%s_tables: %s.%u target: invalid size "
+ "%u (kernel) != (user) %u\n",
+ xt_prefix[par->family], par->target->name,
+ par->target->revision,
+ XT_ALIGN(par->target->targetsize), size);
return -EINVAL;
}
if (par->target->table != NULL &&
strcmp(par->target->table, par->table) != 0) {
- pr_info_ratelimited("%s_tables: %s target: only valid in %s table, not %s\n",
- xt_prefix[par->family], par->target->name,
- par->target->table, par->table);
+ ve_printk_ratelimited(VE_LOG, "%s_tables: %s target: only valid in %s table, not %s\n",
+ xt_prefix[par->family], par->target->name,
+ par->target->table, par->table);
return -EINVAL;
}
if (par->target->hooks && (par->hook_mask & ~par->target->hooks) != 0) {
char used[64], allow[64];
- pr_info_ratelimited("%s_tables: %s target: used from hooks %s, but only usable from %s\n",
- xt_prefix[par->family], par->target->name,
- textify_hooks(used, sizeof(used),
- par->hook_mask, par->family),
- textify_hooks(allow, sizeof(allow),
- par->target->hooks,
- par->family));
+ ve_printk_ratelimited(VE_LOG, "%s_tables: %s target: used from hooks %s, but only "
+ "usable from %s\n",
+ xt_prefix[par->family], par->target->name,
+ textify_hooks(used, sizeof(used), par->hook_mask,
+ par->family),
+ textify_hooks(allow, sizeof(allow), par->target->hooks,
+ par->family));
return -EINVAL;
}
if (par->target->proto && (par->target->proto != proto || inv_proto)) {
- pr_info_ratelimited("%s_tables: %s target: only valid for protocol %u\n",
- xt_prefix[par->family], par->target->name,
- par->target->proto);
+ ve_printk_ratelimited(VE_LOG, "%s_tables: %s target: only valid for protocol %u\n",
+ xt_prefix[par->family], par->target->name,
+ par->target->proto);
return -EINVAL;
}
if (par->target->checkentry != NULL) {
diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
index 98efb202f8b4..a8bd2680f8df 100644
--- a/net/netfilter/xt_TCPMSS.c
+++ b/net/netfilter/xt_TCPMSS.c
@@ -108,7 +108,7 @@ tcpmss_mangle_packet(struct sk_buff *skb,
unsigned int min_mtu = min(dst_mtu(skb_dst(skb)), in_mtu);
if (min_mtu <= minlen) {
- net_err_ratelimited("unknown or invalid path-MTU (%u)\n",
+ net_velog_ratelimited("unknown or invalid path-MTU (%u)\n",
min_mtu);
return -1;
}
@@ -273,7 +273,8 @@ static int tcpmss_tg4_check(const struct xt_tgchk_param *par)
(par->hook_mask & ~((1 << NF_INET_FORWARD) |
(1 << NF_INET_LOCAL_OUT) |
(1 << NF_INET_POST_ROUTING))) != 0) {
- pr_info_ratelimited("path-MTU clamping only supported in FORWARD, OUTPUT and POSTROUTING hooks\n");
+ ve_printk_ratelimited(VE_LOG, "path-MTU clamping only supported in "
+ "FORWARD, OUTPUT and POSTROUTING hooks\n");
return -EINVAL;
}
if (par->nft_compat)
@@ -282,7 +283,7 @@ static int tcpmss_tg4_check(const struct xt_tgchk_param *par)
xt_ematch_foreach(ematch, e)
if (find_syn_match(ematch))
return 0;
- pr_info_ratelimited("Only works on TCP SYN packets\n");
+ ve_printk_ratelimited(VE_LOG, "Only works on TCP SYN packets\n");
return -EINVAL;
}
@@ -297,7 +298,8 @@ static int tcpmss_tg6_check(const struct xt_tgchk_param *par)
(par->hook_mask & ~((1 << NF_INET_FORWARD) |
(1 << NF_INET_LOCAL_OUT) |
(1 << NF_INET_POST_ROUTING))) != 0) {
- pr_info_ratelimited("path-MTU clamping only supported in FORWARD, OUTPUT and POSTROUTING hooks\n");
+ ve_printk_ratelimited(VE_LOG, "path-MTU clamping only supported in "
+ "FORWARD, OUTPUT and POSTROUTING hooks\n");
return -EINVAL;
}
if (par->nft_compat)
@@ -306,7 +308,7 @@ static int tcpmss_tg6_check(const struct xt_tgchk_param *par)
xt_ematch_foreach(ematch, e)
if (find_syn_match(ematch))
return 0;
- pr_info_ratelimited("Only works on TCP SYN packets\n");
+ ve_printk_ratelimited(VE_LOG, "Only works on TCP SYN packets\n");
return -EINVAL;
}
#endif
diff --git a/net/netfilter/xt_limit.c b/net/netfilter/xt_limit.c
index 9f098ecb2449..01ef88265879 100644
--- a/net/netfilter/xt_limit.c
+++ b/net/netfilter/xt_limit.c
@@ -106,8 +106,8 @@ static int limit_mt_check(const struct xt_mtchk_param *par)
/* Check for overflow. */
if (r->burst == 0
|| user2credits(r->avg * r->burst) < user2credits(r->avg)) {
- pr_info_ratelimited("Overflow, try lower: %u/%u\n",
- r->avg, r->burst);
+ ve_printk_ratelimited(VE_LOG, "Overflow, try lower: %u/%u\n",
+ r->avg, r->burst);
return -ERANGE;
}
More information about the Devel
mailing list