[Devel] [PATCH RHEL COMMIT] fence-watchdog: Add xt_wdog_tmo netfilter match

Konstantin Khorenko khorenko at virtuozzo.com
Thu Sep 30 17:43:58 MSK 2021 

The commit is pushed to "branch-rh9-5.14.vz9.1.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after ark-5.14
------>
commit 1bc85277bc44cb24cff8392d5fb0ca7e8168978d
Author: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Date:   Thu Sep 30 17:43:58 2021 +0300

    fence-watchdog: Add xt_wdog_tmo netfilter match
    
    fix wdog_tmo_mt and wdog_tmo_mt_check to match prototypes
    
    Author: Dmitry Guryanov
    Email: dguryanov at parallels.com
    Subject: watchdog: add wdog_tmo match
    Date: Fri, 8 Nov 2013 22:38:09 +0400
    
    Add wdog_tmo netfilter match, which returns true if out watchdog
    timeout exceed.
    
    You have to set watchdog action to 'netfilter', so that host won't
    reboot or halt.
    
    Fix for:
    https://jira.sw.ru/browse/PSBM-23253
    
    Dmitry Guryanov (2):
      watchdog: add netfilter action
      watchdog: add wdog_tmo match
    
    This patch description:
    
    Add wdog_tmo match, which could be used to forbid network
    traffic in case of watchdog timeout.
    
    This match doesn't have any parameters, example of usage:
    iptables -A OUTPUT -m wdog_tmo -j DROP
    
    You have to add support of this match to userspace iptables part.
    
    Signed-off-by: Dmitry Guryanov <dguryanov at parallels.com>
    Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
    Acked-by: Andrew Vagin <avagin at virtuozzo.com>
    
    (cherry-picked from vz8 commit b97a20406a8f ("fence-watchdog: Add
    xt_wdog_tmo netfilter match"))
    
    Added "CONFIG_NETFILTER_XT_MATCH_WDOG_TMO=m" to
    redhat/configs/custom-overrides/generic/CONFIG_NETFILTER_XT_MATCH_WDOG_TMO
    
    Signed-off-by: Nikita Yushchenko <nikita.yushchenko at virtuozzo.com>
---
 net/netfilter/Kconfig                              |  6 +++
 net/netfilter/Makefile                             |  1 +
 net/netfilter/xt_wdog_tmo.c                        | 56 ++++++++++++++++++++++
 .../generic/CONFIG_NETFILTER_XT_MATCH_WDOG_TMO     |  1 +
 4 files changed, 64 insertions(+)

diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 54395266339d..39c47979b515 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -1645,6 +1645,12 @@ config NETFILTER_XT_MATCH_U32
 
 	  Details and examples are in the kernel module source.
 
+config NETFILTER_XT_MATCH_WDOG_TMO
+	tristate '"wdog_tmo" watchdog timer match'
+	depends on NETFILTER_ADVANCED && NETFILTER_NETLINK && FENCE_WATCHDOG
+	help
+	  This option selects the watchdog timer match module.
+
 endif # NETFILTER_XTABLES
 
 endmenu
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 049890e00a3d..2d93db999518 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -206,6 +206,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_STRING) += xt_string.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_TIME) += xt_time.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_U32) += xt_u32.o
+obj-$(CONFIG_NETFILTER_XT_MATCH_WDOG_TMO) += xt_wdog_tmo.o
 
 # ipset
 obj-$(CONFIG_IP_SET) += ipset/
diff --git a/net/netfilter/xt_wdog_tmo.c b/net/netfilter/xt_wdog_tmo.c
new file mode 100644
index 000000000000..80047ad71405
--- /dev/null
+++ b/net/netfilter/xt_wdog_tmo.c
@@ -0,0 +1,56 @@
+/*
+ *  net/netfilter/xt_wdog_tmo.c
+ *
+ *  Copyright (c) 2013-2015 Parallels IP Holdings GmbH
+ *  Copyright (c) 2017-2021 Virtuozzo International GmbH. All rights reserved.
+ *
+ */
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/file.h>
+#include <net/sock.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/fence-watchdog.h>
+
+static bool
+wdog_tmo_mt(const struct sk_buff *skb, struct xt_action_param *par)
+{
+	return fence_wdog_tmo_match();
+}
+
+int wdog_tmo_mt_check(const struct xt_mtchk_param *par)
+{
+
+	if (!ve_is_super(get_exec_env()))
+		return -EPERM;
+	return 0;
+}
+
+static struct xt_match wdog_tmo_mt_reg __read_mostly = {
+		.name       = "wdog_tmo",
+		.revision   = 0,
+		.family     = NFPROTO_UNSPEC,
+		.match      = wdog_tmo_mt,
+		.checkentry = wdog_tmo_mt_check,
+		.matchsize  = 0,
+		.me         = THIS_MODULE,
+};
+
+static int __init wdog_tmo_mt_init(void)
+{
+	return xt_register_match(&wdog_tmo_mt_reg);
+}
+
+static void __exit wdog_tmo_mt_exit(void)
+{
+	xt_unregister_match(&wdog_tmo_mt_reg);
+}
+
+module_init(wdog_tmo_mt_init);
+module_exit(wdog_tmo_mt_exit);
+MODULE_AUTHOR("Dmitry Guryanov <dguryanov at virtuozzo.com>");
+MODULE_DESCRIPTION("Xtables: fence watchdog timeout matching");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_wdog_tmo");
+MODULE_ALIAS("ip6t_wdog_tmo");
diff --git a/redhat/configs/custom-overrides/generic/CONFIG_NETFILTER_XT_MATCH_WDOG_TMO b/redhat/configs/custom-overrides/generic/CONFIG_NETFILTER_XT_MATCH_WDOG_TMO
new file mode 100644
index 000000000000..390db568ebdb
--- /dev/null
+++ b/redhat/configs/custom-overrides/generic/CONFIG_NETFILTER_XT_MATCH_WDOG_TMO
@@ -0,0 +1 @@
+CONFIG_NETFILTER_XT_MATCH_WDOG_TMO=m

More information about the Devel mailing list