[Devel] [PATCH vz9 03/16] fence-watchdog/arptables: add ability to filter by watchdog timeout
Nikita Yushchenko
nikita.yushchenko at virtuozzo.com
Wed Sep 29 10:00:04 MSK 2021
From: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
arptable uses fixed structure arpt_arp for passing match
parameters. Let's use flags field of that structure to
indicate, that we want to match by watchdog timeout.
Signed-off-by: Dmitry Guryanov <dguryanov at parallels.com>
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Rebased: @ktkhai
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
(cherry-picked from vz8 commit 1e4cc0e67b82 ("fence-watchdog/arptables:
add ability to filter by watchdog timeout"))
Signed-off-by: Nikita Yushchenko <nikita.yushchenko at virtuozzo.com>
---
include/uapi/linux/netfilter_arp/arp_tables.h | 7 ++++---
net/ipv4/netfilter/arp_tables.c | 7 +++++++
2 files changed, 11 insertions(+), 3 deletions(-)
diff --git a/include/uapi/linux/netfilter_arp/arp_tables.h b/include/uapi/linux/netfilter_arp/arp_tables.h
index bbf5af2b67a8..c7e501386130 100644
--- a/include/uapi/linux/netfilter_arp/arp_tables.h
+++ b/include/uapi/linux/netfilter_arp/arp_tables.h
@@ -73,9 +73,9 @@ struct arpt_arp {
};
/* Values for "flag" field in struct arpt_ip (general arp structure).
- * No flags defined yet.
*/
-#define ARPT_F_MASK 0x00 /* All possible flag bits mask. */
+#define ARPT_WDOGTMO 0x80
+#define ARPT_F_MASK 0x80 /* All possible flag bits mask. */
/* Values for "inv" field in struct arpt_arp. */
#define ARPT_INV_VIA_IN 0x0001 /* Invert the sense of IN IFACE. */
@@ -88,7 +88,8 @@ struct arpt_arp {
#define ARPT_INV_ARPHRD 0x0080 /* Invert the sense of ARP HRD. */
#define ARPT_INV_ARPPRO 0x0100 /* Invert the sense of ARP PRO. */
#define ARPT_INV_ARPHLN 0x0200 /* Invert the sense of ARP HLN. */
-#define ARPT_INV_MASK 0x03FF /* All possible flag bits mask. */
+#define ARPT_INV_WDOGTMO 0x8000 /* Invert the sense if ARPT_WDOGTMO flag */
+#define ARPT_INV_MASK 0x83FF /* All possible flag bits mask. */
/* This structure defines each of the firewall rules. Consists of 3
parts which are 1) general ARP header stuff 2) match specific
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 8bd6c32d62ce..4fb9fd6a38fb 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -26,6 +26,7 @@
#include <net/compat.h>
#include <net/sock.h>
#include <linux/uaccess.h>
+#include <linux/fence-watchdog.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_arp/arp_tables.h>
@@ -90,6 +91,12 @@ static inline int arp_packet_match(const struct arphdr *arphdr,
__be32 src_ipaddr, tgt_ipaddr;
long ret;
+#ifdef CONFIG_FENCE_WATCHDOG
+ if (NF_INVF(arpinfo, ARPT_INV_WDOGTMO,
+ (arpinfo->flags & ARPT_WDOGTMO) && !fence_wdog_tmo_match()))
+ return 0;
+#endif
+
if (NF_INVF(arpinfo, ARPT_INV_ARPOP,
(arphdr->ar_op & arpinfo->arpop_mask) != arpinfo->arpop))
return 0;
--
2.30.2
More information about the Devel
mailing list