[Devel] [PATCH 4/5] veth: add ability to prevent changing of a mac address from a container

Andrew Vagin Thu, 28 May 2015 04:19:38 -0700

Add the SIOCSFIXEDADDR ioctl.

If we want to forbid changing a mac address of a veth devices,
we need to call this ioctl and set ifr_ifru.ifru_flags to 1.


And we need to set ifr_ifru.ifru_flags to 0 to allow changing mac address.

This ioctl is protected by CAP_NET_ADMIN.

Signed-off-by: Andrew Vagin <ava...@openvz.org>
---
 drivers/net/veth.c              |   17 ++++++++++++++++-
 include/linux/netdev_features.h |    2 ++
 include/uapi/linux/veth.h       |    1 +
 3 files changed, 19 insertions(+), 1 deletions(-)

diff --git a/drivers/net/veth.c b/drivers/net/veth.c
index 7f98a05..1d85174 100644
--- a/drivers/net/veth.c
+++ b/drivers/net/veth.c
@@ -274,6 +274,14 @@ static void veth_dev_free(struct net_device *dev)
        free_netdev(dev);
 }
 
+static int veth_mac_addr(struct net_device *dev, void *p)
+{
+       if (dev->features & NETIF_F_VENET &&
+           dev->features & NETIF_F_FIXED_ADDR)
+               return -EPERM;
+       return eth_mac_addr(dev, p);
+}
+
 static int vzethdev_net_ioctl(struct net_device *dev, struct ifreq *ifr, int 
cmd)
 {
        if (!capable(CAP_NET_ADMIN))
@@ -294,6 +302,13 @@ static int vzethdev_net_ioctl(struct net_device *dev, 
struct ifreq *ifr, int cmd
 
                return 0;
        }
+       case SIOCSFIXEDADDR:
+               if (ifr->ifr_ifru.ifru_flags)
+                       dev->features |= NETIF_F_FIXED_ADDR;
+               else
+                       dev->features &= ~NETIF_F_FIXED_ADDR;
+               return 0;
+       }
        return -ENOTTY;
 }
 
@@ -304,7 +319,7 @@ static const struct net_device_ops veth_netdev_ops = {
        .ndo_start_xmit      = veth_xmit,
        .ndo_change_mtu      = veth_change_mtu,
        .ndo_get_stats64     = veth_get_stats64,
-       .ndo_set_mac_address = eth_mac_addr,
+       .ndo_set_mac_address = veth_mac_addr,
        .ndo_do_ioctl        = vzethdev_net_ioctl,
 };
 
diff --git a/include/linux/netdev_features.h b/include/linux/netdev_features.h
index 2d72a7a..5c2e191 100644
--- a/include/linux/netdev_features.h
+++ b/include/linux/netdev_features.h
@@ -64,6 +64,7 @@ enum {
        NETIF_F_HW_VLAN_STAG_FILTER_BIT,/* Receive filtering on VLAN STAGs */
        NETIF_F_VENET_BIT,              /* device is venet device */
        NETIF_F_VIRTUAL_BIT,            /* can be registered inside VE */
+       NETIF_F_FIXED_ADDR_BIT,
 
        /*
         * Add your fresh new feature above and remember to update
@@ -120,6 +121,7 @@ enum {
 #define NETIF_F_HW_VLAN_STAG_TX        __NETIF_F(HW_VLAN_STAG_TX)
 #define NETIF_F_VENET          __NETIF_F(VENET)
 #define NETIF_F_VIRTUAL                __NETIF_F(VIRTUAL)
+#define NETIF_F_FIXED_ADDR     __NETIF_F(FIXED_ADDR)
 
 /* Features valid for ethtool to change */
 /* = all defined minus driver/device-class-related */
diff --git a/include/uapi/linux/veth.h b/include/uapi/linux/veth.h
index 27e7795..b331a38 100644
--- a/include/uapi/linux/veth.h
+++ b/include/uapi/linux/veth.h
@@ -19,5 +19,6 @@ enum {
 };
 
 #define SIOCSVENET     (SIOCDEVPRIVATE + 0xf)
+#define SIOCSFIXEDADDR (SIOCDEVPRIVATE + 0xe)
 
 #endif
-- 
1.7.1

_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel

[Devel] [PATCH 4/5] veth: add ability to prevent changing of a mac address from a container

Reply via email to