[Devel] [PATCH RHEL7 COMMIT] ve/ipset: prohibit ipset from the inside CT

Konstantin Khorenko khorenko at virtuozzo.com
Wed Jun 10 08:08:48 PDT 2015

The commit is pushed to "branch-rh7-3.10.0-123.1.2-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-123.1.2.vz7.5.12
commit 845504788d862ed3f094e4ce65b1cfaa1f4e0a48
Author: Kirill Tkhai <ktkhai at odin.com>
Date:   Wed Jun 10 19:08:47 2015 +0400

    ve/ipset: prohibit ipset from the inside CT
        ipset: prohibit ipset from the inside CT
        Port diff-ve-netfilter-ipset-prohibit-ipset-from-the-inside-CT from 2.6.32:
        Currently a CT owner can configure ipset rules which are not virtualized =>
        affect the whole Hardware Node.
        We are going to virtualize ipset in PCS7 (3.10-x, PSBM-27793),
        let's prohibit ipset configuration from inside a CT while it's not done.
        Signed-off-by: Kirill Tkhai <ktkhai at parallels.com>
 net/netfilter/nfnetlink.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index e17ad78..b8f00e60 100644
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
@@ -367,7 +367,9 @@ static void nfnetlink_rcv(struct sk_buff *skb)
 	    skb->len < nlh->nlmsg_len)
-	if (!ns_capable(net->user_ns, CAP_VE_NET_ADMIN)) {
+	if (!ns_capable(net->user_ns, CAP_VE_NET_ADMIN) ||
+	    (net->owner_ve != get_ve0() &&
+		NFNL_SUBSYS_ID(nlh->nlmsg_type) == NFNL_SUBSYS_IPSET)) {
 		netlink_ack(skb, nlh, -EPERM);

More information about the Devel mailing list