[Devel] [PATCH vz9 02/16] fence-watchdog: Add xt_wdog_tmo netfilter match

Nikita Yushchenko nikita.yushchenko at virtuozzo.com
Wed Sep 29 10:00:03 MSK 2021 

From: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>

fix wdog_tmo_mt and wdog_tmo_mt_check to match prototypes

Author: Dmitry Guryanov
Email: dguryanov at parallels.com
Subject: watchdog: add wdog_tmo match
Date: Fri, 8 Nov 2013 22:38:09 +0400

Add wdog_tmo netfilter match, which returns true if out watchdog
timeout exceed.

You have to set watchdog action to 'netfilter', so that host won't
reboot or halt.

Fix for:
https://jira.sw.ru/browse/PSBM-23253

Dmitry Guryanov (2):
  watchdog: add netfilter action
  watchdog: add wdog_tmo match

This patch description:

Add wdog_tmo match, which could be used to forbid network
traffic in case of watchdog timeout.

This match doesn't have any parameters, example of usage:
iptables -A OUTPUT -m wdog_tmo -j DROP

You have to add support of this match to userspace iptables part.

Signed-off-by: Dmitry Guryanov <dguryanov at parallels.com>

Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Acked-by: Andrew Vagin <avagin at virtuozzo.com>

(cherry-picked from vz8 commit b97a20406a8f ("fence-watchdog: Add
xt_wdog_tmo netfilter match"))

Added "CONFIG_NETFILTER_XT_MATCH_WDOG_TMO=m" to
redhat/configs/custom-overrides/generic/CONFIG_NETFILTER_XT_MATCH_WDOG_TMO

Signed-off-by: Nikita Yushchenko <nikita.yushchenko at virtuozzo.com>
---
 net/netfilter/Kconfig                         |  6 ++
 net/netfilter/Makefile                        |  1 +
 net/netfilter/xt_wdog_tmo.c                   | 56 +++++++++++++++++++
 .../CONFIG_NETFILTER_XT_MATCH_WDOG_TMO        |  1 +
 4 files changed, 64 insertions(+)
 create mode 100644 net/netfilter/xt_wdog_tmo.c
 create mode 100644 redhat/configs/custom-overrides/generic/CONFIG_NETFILTER_XT_MATCH_WDOG_TMO

diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 54395266339d..39c47979b515 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -1645,6 +1645,12 @@ config NETFILTER_XT_MATCH_U32
 
 	  Details and examples are in the kernel module source.
 
+config NETFILTER_XT_MATCH_WDOG_TMO
+	tristate '"wdog_tmo" watchdog timer match'
+	depends on NETFILTER_ADVANCED && NETFILTER_NETLINK && FENCE_WATCHDOG
+	help
+	  This option selects the watchdog timer match module.
+
 endif # NETFILTER_XTABLES
 
 endmenu
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 049890e00a3d..2d93db999518 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -206,6 +206,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_STRING) += xt_string.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_TIME) += xt_time.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_U32) += xt_u32.o
+obj-$(CONFIG_NETFILTER_XT_MATCH_WDOG_TMO) += xt_wdog_tmo.o
 
 # ipset
 obj-$(CONFIG_IP_SET) += ipset/
diff --git a/net/netfilter/xt_wdog_tmo.c b/net/netfilter/xt_wdog_tmo.c
new file mode 100644
index 000000000000..80047ad71405
--- /dev/null
+++ b/net/netfilter/xt_wdog_tmo.c
@@ -0,0 +1,56 @@
+/*
+ *  net/netfilter/xt_wdog_tmo.c
+ *
+ *  Copyright (c) 2013-2015 Parallels IP Holdings GmbH
+ *  Copyright (c) 2017-2021 Virtuozzo International GmbH. All rights reserved.
+ *
+ */
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/file.h>
+#include <net/sock.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/fence-watchdog.h>
+
+static bool
+wdog_tmo_mt(const struct sk_buff *skb, struct xt_action_param *par)
+{
+	return fence_wdog_tmo_match();
+}
+
+int wdog_tmo_mt_check(const struct xt_mtchk_param *par)
+{
+
+	if (!ve_is_super(get_exec_env()))
+		return -EPERM;
+	return 0;
+}
+
+static struct xt_match wdog_tmo_mt_reg __read_mostly = {
+		.name       = "wdog_tmo",
+		.revision   = 0,
+		.family     = NFPROTO_UNSPEC,
+		.match      = wdog_tmo_mt,
+		.checkentry = wdog_tmo_mt_check,
+		.matchsize  = 0,
+		.me         = THIS_MODULE,
+};
+
+static int __init wdog_tmo_mt_init(void)
+{
+	return xt_register_match(&wdog_tmo_mt_reg);
+}
+
+static void __exit wdog_tmo_mt_exit(void)
+{
+	xt_unregister_match(&wdog_tmo_mt_reg);
+}
+
+module_init(wdog_tmo_mt_init);
+module_exit(wdog_tmo_mt_exit);
+MODULE_AUTHOR("Dmitry Guryanov <dguryanov at virtuozzo.com>");
+MODULE_DESCRIPTION("Xtables: fence watchdog timeout matching");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_wdog_tmo");
+MODULE_ALIAS("ip6t_wdog_tmo");
diff --git a/redhat/configs/custom-overrides/generic/CONFIG_NETFILTER_XT_MATCH_WDOG_TMO b/redhat/configs/custom-overrides/generic/CONFIG_NETFILTER_XT_MATCH_WDOG_TMO
new file mode 100644
index 000000000000..390db568ebdb
--- /dev/null
+++ b/redhat/configs/custom-overrides/generic/CONFIG_NETFILTER_XT_MATCH_WDOG_TMO
@@ -0,0 +1 @@
+CONFIG_NETFILTER_XT_MATCH_WDOG_TMO=m
-- 
2.30.2

More information about the Devel mailing list