[Devel] [PATCH vz9 03/16] fence-watchdog/arptables: add ability to filter by watchdog timeout

Wed Sep 29 10:00:04 MSK 2021

From: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>

arptable uses fixed structure arpt_arp for passing match
parameters. Let's use flags field of that structure to
indicate, that we want to match by watchdog timeout.

Signed-off-by: Dmitry Guryanov <dguryanov at parallels.com>
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Rebased: @ktkhai

Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>

(cherry-picked from vz8 commit 1e4cc0e67b82 ("fence-watchdog/arptables:
add ability to filter by watchdog timeout"))

Signed-off-by: Nikita Yushchenko <nikita.yushchenko at virtuozzo.com>
---
 include/uapi/linux/netfilter_arp/arp_tables.h | 7 ++++---
 net/ipv4/netfilter/arp_tables.c               | 7 +++++++
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/include/uapi/linux/netfilter_arp/arp_tables.h b/include/uapi/linux/netfilter_arp/arp_tables.h
index bbf5af2b67a8..c7e501386130 100644
--- a/include/uapi/linux/netfilter_arp/arp_tables.h
+++ b/include/uapi/linux/netfilter_arp/arp_tables.h
@@ -73,9 +73,9 @@ struct arpt_arp {
 };
 
 /* Values for "flag" field in struct arpt_ip (general arp structure).
- * No flags defined yet.
  */
-#define ARPT_F_MASK		0x00	/* All possible flag bits mask. */
+#define ARPT_WDOGTMO		0x80
+#define ARPT_F_MASK		0x80	/* All possible flag bits mask. */
 
 /* Values for "inv" field in struct arpt_arp. */
 #define ARPT_INV_VIA_IN		0x0001	/* Invert the sense of IN IFACE. */
@@ -88,7 +88,8 @@ struct arpt_arp {
 #define ARPT_INV_ARPHRD		0x0080	/* Invert the sense of ARP HRD. */
 #define ARPT_INV_ARPPRO		0x0100	/* Invert the sense of ARP PRO. */
 #define ARPT_INV_ARPHLN		0x0200	/* Invert the sense of ARP HLN. */
-#define ARPT_INV_MASK		0x03FF	/* All possible flag bits mask. */
+#define ARPT_INV_WDOGTMO	0x8000	/* Invert the sense if ARPT_WDOGTMO flag */
+#define ARPT_INV_MASK		0x83FF	/* All possible flag bits mask. */
 
 /* This structure defines each of the firewall rules.  Consists of 3
    parts which are 1) general ARP header stuff 2) match specific
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 8bd6c32d62ce..4fb9fd6a38fb 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -26,6 +26,7 @@
 #include <net/compat.h>
 #include <net/sock.h>
 #include <linux/uaccess.h>
+#include <linux/fence-watchdog.h>
 
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_arp/arp_tables.h>
@@ -90,6 +91,12 @@ static inline int arp_packet_match(const struct arphdr *arphdr,
 	__be32 src_ipaddr, tgt_ipaddr;
 	long ret;
 
+#ifdef CONFIG_FENCE_WATCHDOG
+	if (NF_INVF(arpinfo, ARPT_INV_WDOGTMO,
+		    (arpinfo->flags & ARPT_WDOGTMO) && !fence_wdog_tmo_match()))
+		return 0;
+#endif
+
 	if (NF_INVF(arpinfo, ARPT_INV_ARPOP,
 		    (arphdr->ar_op & arpinfo->arpop_mask) != arpinfo->arpop))
 		return 0;
-- 
2.30.2

