[Devel] [PATCH RHEL7 COMMIT] ve/iptables: fix mask initialization and changing

Konstantin Khorenko Tue, 30 Jun 2015 07:38:01 -0700

The commit is pushed to "branch-rh7-3.10.0-123.1.2-ovz" and will appear at 
https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-123.1.2.vz7.5.23
------>
commit 256d400af10b3e8298834f2e6e384e57adba5386
Author: Pavel Tikhomirov <ptikhomi...@virtuozzo.com>
Date:   Tue Jun 30 18:28:56 2015 +0400


    ve/iptables: fix mask initialization and changing
    
    Patchset description:
    
    ve: fix initialization and remove sysctl_fsync_enable
    
    v2:
    - initialize only on ve cgroup creation, remove get_ve_features
    - rename setup_iptables_mask into ve_setup_iptables_mask
    
    https://jira.sw.ru/browse/PSBM-34286
    https://jira.sw.ru/browse/PSBM-34285
    
    Pavel Tikhomirov (4):
      ve: remove sysctl_fsync_enable and use ve_fsync_behavior instead
      ve: initialize fsync_enable also for non ve0 environment
      ve: iptables: fix mask initialization and changing
      ve: cgroup: initialize odirect_enable, features and _randomize_va_space
    
    =====================================================================
    This patch description:
    
    - initialize mask on ve cgroup creation
    - put ipt_mask under CONFIG_VE_IPTABLES
    - reuse setup_iptables_mask
    
    v2: rename setup_iptables_mask into ve_setup_iptables_mask
    Signed-off-by: Pavel Tikhomirov <ptikhomi...@virtuozzo.com>
---
 include/linux/ve.h  |  4 ++++
 kernel/ve/Makefile  |  2 ++
 kernel/ve/ve.c      | 59 ++++++++++++++++++++++++++++++++++-------------------
 kernel/ve/vecalls.c | 29 +-------------------------
 4 files changed, 45 insertions(+), 49 deletions(-)

diff --git a/include/linux/ve.h b/include/linux/ve.h
index 5489cab..7ba3f92 100644
--- a/include/linux/ve.h
+++ b/include/linux/ve.h
@@ -154,6 +154,10 @@ extern int nr_ve;
 extern struct proc_dir_entry *proc_vz_dir;
 extern struct cgroup_subsys ve_subsys;
 
+#ifdef CONFIG_VE_IPTABLES
+extern __u64 ve_setup_iptables_mask(__u64 init_mask);
+#endif
+
 #ifdef CONFIG_VE
 #define ve_uevent_seqnum       (get_exec_env()->_uevent_seqnum)
 
diff --git a/kernel/ve/Makefile b/kernel/ve/Makefile
index c45948f..c32e03d 100644
--- a/kernel/ve/Makefile
+++ b/kernel/ve/Makefile
@@ -20,6 +20,8 @@ obj-$(CONFIG_VE_CALLS) += vzstat.o
 
 obj-$(CONFIG_VZ_IOLIMIT) += vziolimit.o
 
+obj-$(CONFIG_VE_IPTABLES) += ve.o
+
 obj-m += dummy/ip6_vzprivnet.o
 obj-m += dummy/ip_vzprivnet.o
 obj-m += dummy/pio_nfs.o
diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c
index 9e37dd5..946b0d6 100644
--- a/kernel/ve/ve.c
+++ b/kernel/ve/ve.c
@@ -613,6 +613,34 @@ void ve_exit_ns(struct pid_namespace *pid_ns)
        put_ve(ve); /* from ve_start_container() */
 }
 
+#ifdef CONFIG_VE_IPTABLES
+
+__u64 ve_setup_iptables_mask(__u64 init_mask)
+{
+       /* Remove when userspace will start supplying IPv6-related bits. */
+       init_mask &= ~VE_IP_IPTABLES6;
+       init_mask &= ~VE_IP_FILTER6;
+       init_mask &= ~VE_IP_MANGLE6;
+       init_mask &= ~VE_IP_IPTABLE_NAT_MOD;
+       init_mask &= ~VE_NF_CONNTRACK_MOD;
+
+       if (mask_ipt_allow(init_mask, VE_IP_IPTABLES))
+               init_mask |= VE_IP_IPTABLES6;
+       if (mask_ipt_allow(init_mask, VE_IP_FILTER))
+               init_mask |= VE_IP_FILTER6;
+       if (mask_ipt_allow(init_mask, VE_IP_MANGLE))
+               init_mask |= VE_IP_MANGLE6;
+       if (mask_ipt_allow(init_mask, VE_IP_NAT))
+               init_mask |= VE_IP_IPTABLE_NAT;
+       if (mask_ipt_allow(init_mask, VE_IP_CONNTRACK))
+               init_mask |= VE_NF_CONNTRACK;
+
+       return init_mask;
+}
+EXPORT_SYMBOL(ve_setup_iptables_mask);
+
+#endif
+
 static struct cgroup_subsys_state *ve_create(struct cgroup *cg)
 {
        struct ve_struct *ve = &ve0;
@@ -636,6 +664,10 @@ static struct cgroup_subsys_state *ve_create(struct cgroup 
*cg)
 
        ve->fsync_enable = 2;
 
+#ifdef CONFIG_VE_IPTABLES
+       ve->ipt_mask = ve_setup_iptables_mask(VE_IP_DEFAULT);
+#endif
+
        ve->sched_lat_ve.cur = alloc_percpu(struct kstat_lat_pcpu_snap_struct);
        if (!ve->sched_lat_ve.cur)
                goto err_lat;
@@ -1071,8 +1103,10 @@ static u64 ve_read_u64(struct cgroup *cg, struct cftype 
*cft)
 {
        if (cft->private == VE_CF_FEATURES)
                return cgroup_ve(cg)->features;
+#ifdef CONFIG_VE_IPTABLES
        else if (cft->private == VE_CF_IPTABLES_MASK)
                return cgroup_ve(cg)->ipt_mask;
+#endif
        return 0;
 }
 
@@ -1091,27 +1125,10 @@ static int ve_write_u64(struct cgroup *cg, struct 
cftype *cft, u64 value)
 
        if (cft->private == VE_CF_FEATURES)
                ve->features = value;
-       else if (cft->private == VE_CF_IPTABLES_MASK) {
-               value &= ~VE_IP_IPTABLES6;
-               value &= ~VE_IP_FILTER6;
-               value &= ~VE_IP_MANGLE6;
-               value &= ~VE_IP_IPTABLE_NAT_MOD;
-               value &= ~VE_NF_CONNTRACK_MOD;
-
-               if (mask_ipt_allow(value, VE_IP_IPTABLES))
-                       value |= VE_IP_IPTABLES6;
-               if (mask_ipt_allow(value, VE_IP_FILTER))
-                       value |= VE_IP_FILTER6;
-               if (mask_ipt_allow(value, VE_IP_MANGLE))
-                       value |= VE_IP_MANGLE6;
-               if (mask_ipt_allow(value, VE_IP_NAT))
-                       value |= VE_IP_IPTABLE_NAT;
-               if (mask_ipt_allow(value, VE_IP_CONNTRACK))
-                       value |= VE_NF_CONNTRACK;
-
-               ve->ipt_mask = value;
-       }
-
+#ifdef CONFIG_VE_IPTABLES
+       else if (cft->private == VE_CF_IPTABLES_MASK)
+               ve->ipt_mask = ve_setup_iptables_mask(value);
+#endif
        up_write(&ve->op_sem);
        return 0;
 }
diff --git a/kernel/ve/vecalls.c b/kernel/ve/vecalls.c
index be4fb1e..00c5c04 100644
--- a/kernel/ve/vecalls.c
+++ b/kernel/ve/vecalls.c
@@ -224,33 +224,6 @@ static __u64 get_ve_features(env_create_param_t *data, int 
datalen)
                (VE_FEATURES_DEF & ~known_features);
 }
 
-#ifdef CONFIG_VE_IPTABLES
-
-static __u64 setup_iptables_mask(__u64 init_mask)
-{
-       /* Remove when userspace will start supplying IPv6-related bits. */
-       init_mask &= ~VE_IP_IPTABLES6;
-       init_mask &= ~VE_IP_FILTER6;
-       init_mask &= ~VE_IP_MANGLE6;
-       init_mask &= ~VE_IP_IPTABLE_NAT_MOD;
-       init_mask &= ~VE_NF_CONNTRACK_MOD;
-
-       if (mask_ipt_allow(init_mask, VE_IP_IPTABLES))
-               init_mask |= VE_IP_IPTABLES6;
-       if (mask_ipt_allow(init_mask, VE_IP_FILTER))
-               init_mask |= VE_IP_FILTER6;
-       if (mask_ipt_allow(init_mask, VE_IP_MANGLE))
-               init_mask |= VE_IP_MANGLE6;
-       if (mask_ipt_allow(init_mask, VE_IP_NAT))
-               init_mask |= VE_IP_IPTABLE_NAT;
-       if (mask_ipt_allow(init_mask, VE_IP_CONNTRACK))
-               init_mask |= VE_NF_CONNTRACK;
-
-       return init_mask;
-}
-
-#endif
-
 static int init_ve_struct(struct ve_struct *ve,
                u32 class_id, env_create_param_t *data, int datalen)
 {
@@ -265,7 +238,7 @@ static int init_ve_struct(struct ve_struct *ve,
        /* Set up ipt_mask as it will be used during
         * net namespace initialization
         */
-       ve->ipt_mask = setup_iptables_mask(data ? data->iptables_mask
+       ve->ipt_mask = ve_setup_iptables_mask(data ? data->iptables_mask
                                                : VE_IP_DEFAULT);
 #endif
 
_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel

[Devel] [PATCH RHEL7 COMMIT] ve/iptables: fix mask initialization and changing

Reply via email to