On Mon, Jun 08, 2015 at 05:22:25PM +0300, Kirill Tkhai wrote: > Port diff-ve-netfilter-ipset-prohibit-ipset-from-the-inside-CT from 2.6.32: > > Currently a CT owner can configure ipset rules which are not virtualized => > affect the whole Hardware Node. > > We are going to virtualize ipset in PCS7 (3.10-x, PSBM-27793), > let's prohibit ipset configuration from inside a CT while it's not done. > > https://jira.sw.ru/browse/PSBM-27792 > https://bugzilla.openvz.org/show_bug.cgi?id=2644 > > Signed-off-by: Kirill Tkhai <ktk...@parallels.com> > --- > net/netfilter/nfnetlink.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c > index e17ad78..07e040f 100644 > --- a/net/netfilter/nfnetlink.c > +++ b/net/netfilter/nfnetlink.c > @@ -367,7 +367,9 @@ static void nfnetlink_rcv(struct sk_buff *skb) > skb->len < nlh->nlmsg_len) > return; > > - if (!ns_capable(net->user_ns, CAP_VE_NET_ADMIN)) { > + if (!ns_capable(net->user_ns, CAP_VE_NET_ADMIN) || > + (!ns_capable(net->user_ns, CAP_VE_NET_ADMIN) && > + NFNL_SUBSYS_ID(nlh->nlmsg_type) == NFNL_SUBSYS_IPSET)) {
The second expression is a subset of the first one > netlink_ack(skb, nlh, -EPERM); > return; > } > > _______________________________________________ > Devel mailing list > Devel@openvz.org > https://lists.openvz.org/mailman/listinfo/devel _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel
