[Devel] [PATCH RHEL8 COMMIT] net: Mark conntrack users in nftables
Konstantin Khorenko
khorenko at virtuozzo.com
Mon May 24 16:20:36 MSK 2021
The commit is pushed to "branch-rh8-4.18.0-240.1.1.vz8.5.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh8-4.18.0-240.1.1.vz8.5.32
------>
commit fb71f85bf77321dcb87b230ee6a70c444996e16f
Author: Kirill Tkhai <ktkhai at virtuozzo.com>
Date: Mon May 24 16:20:36 2021 +0300
net: Mark conntrack users in nftables
Allow conntracks to be allocated in case of these
rules are inserted.
https://jira.sw.ru/browse/PSBM-51050
Signed-off-by: Kirill Tkhai <ktkhai at virtuozzo.com>
Reviewed-by: Andrei Vagin <avagin at virtuozzo.com>
vz8 rebase notes:
=================
(cherry picked from vz7 commit 60931ce1ffcf ("net: Mark conntrack users
in nftables"))
Modules which require conntrack call:
nf_ct_netns_get(struct net *net, u8 nfproto) in struct xt_entry
.checkentry callback.
$ grep -Inr 'nf_ct_netns_get' net/netfilter net/ipv4/netfilter net/ipv6/netfilter
is useful to find all modules
Added:
net/netfilter/nft_connlimit.c
net/netfilter/nft_masq.c
net/netfilter/nft_redir.c
VZ 8 rebase part https://jira.sw.ru/browse/PSBM-127783
Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalitsyn at virtuozzo.com>
---
net/netfilter/nft_connlimit.c | 7 ++++++-
net/netfilter/nft_ct.c | 2 ++
net/netfilter/nft_masq.c | 6 +++++-
net/netfilter/nft_nat.c | 6 +++++-
net/netfilter/nft_redir.c | 6 +++++-
5 files changed, 23 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/nft_connlimit.c b/net/netfilter/nft_connlimit.c
index 69d6173f91e2..d8b952078fa4 100644
--- a/net/netfilter/nft_connlimit.c
+++ b/net/netfilter/nft_connlimit.c
@@ -62,6 +62,7 @@ static int nft_connlimit_do_init(const struct nft_ctx *ctx,
{
bool invert = false;
u32 flags, limit;
+ int err;
if (!tb[NFTA_CONNLIMIT_COUNT])
return -EINVAL;
@@ -80,7 +81,11 @@ static int nft_connlimit_do_init(const struct nft_ctx *ctx,
priv->limit = limit;
priv->invert = invert;
- return nf_ct_netns_get(ctx->net, ctx->family);
+ err = nf_ct_netns_get(ctx->net, ctx->family);
+ if (err == 0)
+ allow_conntrack_allocation(ctx->net);
+
+ return err;
}
static void nft_connlimit_do_destroy(const struct nft_ctx *ctx,
diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
index bbdb1e219edb..1e11f3585f76 100644
--- a/net/netfilter/nft_ct.c
+++ b/net/netfilter/nft_ct.c
@@ -507,6 +507,8 @@ static int nft_ct_get_init(const struct nft_ctx *ctx,
priv->key == NFT_CT_AVGPKT)
nf_ct_set_acct(ctx->net, true);
+ allow_conntrack_allocation(ctx->net);
+
return 0;
}
diff --git a/net/netfilter/nft_masq.c b/net/netfilter/nft_masq.c
index 061ef95af2f5..84db12eb3e2f 100644
--- a/net/netfilter/nft_masq.c
+++ b/net/netfilter/nft_masq.c
@@ -78,7 +78,11 @@ static int nft_masq_init(const struct nft_ctx *ctx,
}
}
- return nf_ct_netns_get(ctx->net, ctx->family);
+ err = nf_ct_netns_get(ctx->net, ctx->family);
+ if (err == 0)
+ allow_conntrack_allocation(ctx->net);
+
+ return err;
}
static int nft_masq_dump(struct sk_buff *skb, const struct nft_expr *expr)
diff --git a/net/netfilter/nft_nat.c b/net/netfilter/nft_nat.c
index a540d9cf56c1..84d1ba34af81 100644
--- a/net/netfilter/nft_nat.c
+++ b/net/netfilter/nft_nat.c
@@ -203,7 +203,11 @@ static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
return -EOPNOTSUPP;
}
- return nf_ct_netns_get(ctx->net, family);
+ err = nf_ct_netns_get(ctx->net, family);
+ if (err == 0)
+ allow_conntrack_allocation(ctx->net);
+
+ return err;
}
static int nft_nat_dump(struct sk_buff *skb, const struct nft_expr *expr)
diff --git a/net/netfilter/nft_redir.c b/net/netfilter/nft_redir.c
index e19d7b27f103..1d16af6b5eba 100644
--- a/net/netfilter/nft_redir.c
+++ b/net/netfilter/nft_redir.c
@@ -79,7 +79,11 @@ static int nft_redir_init(const struct nft_ctx *ctx,
return -EINVAL;
}
- return nf_ct_netns_get(ctx->net, ctx->family);
+ err = nf_ct_netns_get(ctx->net, ctx->family);
+ if (err == 0)
+ allow_conntrack_allocation(ctx->net);
+
+ return err;
}
int nft_redir_dump(struct sk_buff *skb, const struct nft_expr *expr)
More information about the Devel
mailing list