From: Kirill Tkhai <ktk...@virtuozzo.com> Allow conntracks to be allocated in case of these rules are inserted.
https://jira.sw.ru/browse/PSBM-51050 Signed-off-by: Kirill Tkhai <ktk...@virtuozzo.com> Reviewed-by: Andrei Vagin <ava...@virtuozzo.com> +++ ve/net: Delete allow_conntrack_allocation() from nf_synproxy Since nf_conntrack_alloc() is not called there anymore, it's not need to allow CT allocation there. https://jira.sw.ru/browse/PSBM-54823 Signed-off-by: Kirill Tkhai <ktk...@virtuozzo.com> +++ ve/net: Allow conntrack allocation if a rule with xt_CT target is inserted https://jira.sw.ru/browse/PSBM-54823 Signed-off-by: Kirill Tkhai <ktk...@virtuozzo.com> (cherry picked from vz7 commit 3b277df5b8bc ("net: Mark conntrack users in xtables")) vz8 rebase notes: ================= see also a357b3f80bc8d ("netfilter: nat: add dependencies on conntrack module") 84899a2b9adaf ("netfilter: xtables: remove xt_connmark v0") Modules which require conntrack call: nf_ct_netns_get(struct net *net, u8 nfproto) in struct xt_entry .checkentry callback. $ grep -Inr 'nf_ct_netns_get' net/netfilter net/ipv4/netfilter net/ipv6/netfilter is useful to find all modules net/netfilter/nf_conncount.c was added VZ 8 rebase part https://jira.sw.ru/browse/PSBM-127783 Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalit...@virtuozzo.com> Ported vz8 commit 72cb9749fb95 ("net: Mark conntrack users in xtables"). Repeated the procedure described above to find all ct users. Signed-off-by: Nikita Yushchenko <nikita.yushche...@virtuozzo.com> --- net/ipv4/netfilter/ipt_CLUSTERIP.c | 2 ++ net/ipv4/netfilter/ipt_SYNPROXY.c | 2 ++ net/ipv6/netfilter/ip6t_SYNPROXY.c | 2 ++ net/netfilter/nf_conncount.c | 2 ++ net/netfilter/nf_synproxy_core.c | 2 -- net/netfilter/xt_CONNSECMARK.c | 2 ++ net/netfilter/xt_CT.c | 1 + net/netfilter/xt_HMARK.c | 1 + net/netfilter/xt_MASQUERADE.c | 6 +++++- net/netfilter/xt_NETMAP.c | 14 ++++++++++++-- net/netfilter/xt_REDIRECT.c | 13 +++++++++++-- net/netfilter/xt_cluster.c | 2 ++ net/netfilter/xt_connbytes.c | 2 ++ net/netfilter/xt_connlabel.c | 3 ++- net/netfilter/xt_connmark.c | 2 ++ net/netfilter/xt_conntrack.c | 2 ++ net/netfilter/xt_helper.c | 1 + net/netfilter/xt_ipvs.c | 1 + net/netfilter/xt_nat.c | 14 ++++++++++++-- net/netfilter/xt_socket.c | 11 +++++++++++ net/netfilter/xt_state.c | 2 ++ 21 files changed, 77 insertions(+), 10 deletions(-) diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c index 46d8c23fd7ae..f657da576896 100644 --- a/net/ipv4/netfilter/ipt_CLUSTERIP.c +++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c @@ -517,6 +517,8 @@ static int clusterip_tg_check(const struct xt_tgchk_param *par) return ret; } + allow_conntrack_allocation(par->net); + if (!par->net->xt.clusterip_deprecated_warning) { pr_info("ipt_CLUSTERIP is deprecated and it will removed soon, " "use xt_cluster instead\n"); diff --git a/net/ipv4/netfilter/ipt_SYNPROXY.c b/net/ipv4/netfilter/ipt_SYNPROXY.c index f2984c7eef40..ef348d3813d2 100644 --- a/net/ipv4/netfilter/ipt_SYNPROXY.c +++ b/net/ipv4/netfilter/ipt_SYNPROXY.c @@ -81,6 +81,8 @@ static int synproxy_tg4_check(const struct xt_tgchk_param *par) return err; } + allow_conntrack_allocation(par->net); + return err; } diff --git a/net/ipv6/netfilter/ip6t_SYNPROXY.c b/net/ipv6/netfilter/ip6t_SYNPROXY.c index d51d0c3e5fe9..8da0a77bdc33 100644 --- a/net/ipv6/netfilter/ip6t_SYNPROXY.c +++ b/net/ipv6/netfilter/ip6t_SYNPROXY.c @@ -84,6 +84,8 @@ static int synproxy_tg6_check(const struct xt_tgchk_param *par) return err; } + allow_conntrack_allocation(par->net); + return err; } diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c index 82f36beb2e76..846f5fc42ba0 100644 --- a/net/netfilter/nf_conncount.c +++ b/net/netfilter/nf_conncount.c @@ -536,6 +536,8 @@ struct nf_conncount_data *nf_conncount_init(struct net *net, unsigned int family return ERR_PTR(ret); } + allow_conntrack_allocation(net); + for (i = 0; i < ARRAY_SIZE(data->root); ++i) data->root[i] = RB_ROOT; diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c index 0255821cf375..5759f146a24f 100644 --- a/net/netfilter/nf_synproxy_core.c +++ b/net/netfilter/nf_synproxy_core.c @@ -339,8 +339,6 @@ static int __net_init synproxy_net_init(struct net *net) struct nf_conn *ct; int err = -ENOMEM; - allow_conntrack_allocation(net); - ct = nf_ct_tmpl_alloc(net, &nf_ct_zone_dflt, GFP_KERNEL); if (!ct) goto err1; diff --git a/net/netfilter/xt_CONNSECMARK.c b/net/netfilter/xt_CONNSECMARK.c index 76acecf3e757..3a6675797133 100644 --- a/net/netfilter/xt_CONNSECMARK.c +++ b/net/netfilter/xt_CONNSECMARK.c @@ -106,6 +106,8 @@ static int connsecmark_tg_check(const struct xt_tgchk_param *par) if (ret < 0) pr_info_ratelimited("cannot load conntrack support for proto=%u\n", par->family); + else + allow_conntrack_allocation(par->net); return ret; } diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c index 12404d221026..b125fa80d57c 100644 --- a/net/netfilter/xt_CT.c +++ b/net/netfilter/xt_CT.c @@ -202,6 +202,7 @@ static int xt_ct_tg_check(const struct xt_tgchk_param *par, } __set_bit(IPS_CONFIRMED_BIT, &ct->status); nf_conntrack_get(&ct->ct_general); + allow_conntrack_allocation(par->net); out: info->ct = ct; return 0; diff --git a/net/netfilter/xt_HMARK.c b/net/netfilter/xt_HMARK.c index 8928ec56c388..b980e3cde44c 100644 --- a/net/netfilter/xt_HMARK.c +++ b/net/netfilter/xt_HMARK.c @@ -327,6 +327,7 @@ static int hmark_tg_check(const struct xt_tgchk_param *par) errmsg = "spi-set and port-set can't be combined"; goto err; } + allow_conntrack_allocation(par->net); return 0; err: pr_info_ratelimited("%s\n", errmsg); diff --git a/net/netfilter/xt_MASQUERADE.c b/net/netfilter/xt_MASQUERADE.c index eae05c178336..8998a566b0fb 100644 --- a/net/netfilter/xt_MASQUERADE.c +++ b/net/netfilter/xt_MASQUERADE.c @@ -19,6 +19,7 @@ MODULE_DESCRIPTION("Xtables: automatic-address SNAT"); static int masquerade_tg_check(const struct xt_tgchk_param *par) { const struct nf_nat_ipv4_multi_range_compat *mr = par->targinfo; + int ret; if (mr->range[0].flags & NF_NAT_RANGE_MAP_IPS) { pr_debug("bad MAP_IPS.\n"); @@ -28,7 +29,10 @@ static int masquerade_tg_check(const struct xt_tgchk_param *par) pr_debug("bad rangesize %u\n", mr->rangesize); return -EINVAL; } - return nf_ct_netns_get(par->net, par->family); + ret = nf_ct_netns_get(par->net, par->family); + if (ret == 0) + allow_conntrack_allocation(par->net); + return ret; } static unsigned int diff --git a/net/netfilter/xt_NETMAP.c b/net/netfilter/xt_NETMAP.c index cb2ee80d84fa..8e7be7963569 100644 --- a/net/netfilter/xt_NETMAP.c +++ b/net/netfilter/xt_NETMAP.c @@ -54,10 +54,15 @@ netmap_tg6(struct sk_buff *skb, const struct xt_action_param *par) static int netmap_tg6_checkentry(const struct xt_tgchk_param *par) { const struct nf_nat_range2 *range = par->targinfo; + int ret; if (!(range->flags & NF_NAT_RANGE_MAP_IPS)) return -EINVAL; - return nf_ct_netns_get(par->net, par->family); + + ret = nf_ct_netns_get(par->net, par->family); + if (ret == 0) + allow_conntrack_allocation(par->net); + return ret; } static void netmap_tg_destroy(const struct xt_tgdtor_param *par) @@ -104,6 +109,7 @@ netmap_tg4(struct sk_buff *skb, const struct xt_action_param *par) static int netmap_tg4_check(const struct xt_tgchk_param *par) { const struct nf_nat_ipv4_multi_range_compat *mr = par->targinfo; + int ret; if (!(mr->range[0].flags & NF_NAT_RANGE_MAP_IPS)) { pr_debug("bad MAP_IPS.\n"); @@ -113,7 +119,11 @@ static int netmap_tg4_check(const struct xt_tgchk_param *par) pr_debug("bad rangesize %u.\n", mr->rangesize); return -EINVAL; } - return nf_ct_netns_get(par->net, par->family); + + ret = nf_ct_netns_get(par->net, par->family); + if (ret == 0) + allow_conntrack_allocation(par->net); + return ret; } static struct xt_target netmap_tg_reg[] __read_mostly = { diff --git a/net/netfilter/xt_REDIRECT.c b/net/netfilter/xt_REDIRECT.c index 353ca7801251..0c1eb51e6adc 100644 --- a/net/netfilter/xt_REDIRECT.c +++ b/net/netfilter/xt_REDIRECT.c @@ -34,11 +34,15 @@ redirect_tg6(struct sk_buff *skb, const struct xt_action_param *par) static int redirect_tg6_checkentry(const struct xt_tgchk_param *par) { const struct nf_nat_range2 *range = par->targinfo; + int ret; if (range->flags & NF_NAT_RANGE_MAP_IPS) return -EINVAL; - return nf_ct_netns_get(par->net, par->family); + ret = nf_ct_netns_get(par->net, par->family); + if (ret == 0) + allow_conntrack_allocation(par->net); + return ret; } static void redirect_tg_destroy(const struct xt_tgdtor_param *par) @@ -50,6 +54,7 @@ static void redirect_tg_destroy(const struct xt_tgdtor_param *par) static int redirect_tg4_check(const struct xt_tgchk_param *par) { const struct nf_nat_ipv4_multi_range_compat *mr = par->targinfo; + int ret; if (mr->range[0].flags & NF_NAT_RANGE_MAP_IPS) { pr_debug("bad MAP_IPS.\n"); @@ -59,7 +64,11 @@ static int redirect_tg4_check(const struct xt_tgchk_param *par) pr_debug("bad rangesize %u.\n", mr->rangesize); return -EINVAL; } - return nf_ct_netns_get(par->net, par->family); + + ret = nf_ct_netns_get(par->net, par->family); + if (ret == 0) + allow_conntrack_allocation(par->net); + return ret; } static unsigned int diff --git a/net/netfilter/xt_cluster.c b/net/netfilter/xt_cluster.c index a047a545371e..eddcfa3f9301 100644 --- a/net/netfilter/xt_cluster.c +++ b/net/netfilter/xt_cluster.c @@ -138,6 +138,8 @@ static int xt_cluster_mt_checkentry(const struct xt_mtchk_param *par) if (ret < 0) pr_info_ratelimited("cannot load conntrack support for proto=%u\n", par->family); + else + allow_conntrack_allocation(par->net); return ret; } diff --git a/net/netfilter/xt_connbytes.c b/net/netfilter/xt_connbytes.c index 93cb018c3055..ffb3b6b420cb 100644 --- a/net/netfilter/xt_connbytes.c +++ b/net/netfilter/xt_connbytes.c @@ -114,6 +114,8 @@ static int connbytes_mt_check(const struct xt_mtchk_param *par) if (ret < 0) pr_info_ratelimited("cannot load conntrack support for proto=%u\n", par->family); + else + allow_conntrack_allocation(par->net); /* * This filter cannot function correctly unless connection tracking diff --git a/net/netfilter/xt_connlabel.c b/net/netfilter/xt_connlabel.c index 87505cdad5f1..71df654b3f85 100644 --- a/net/netfilter/xt_connlabel.c +++ b/net/netfilter/xt_connlabel.c @@ -64,7 +64,8 @@ static int connlabel_mt_check(const struct xt_mtchk_param *par) pr_info_ratelimited("cannot load conntrack support for proto=%u\n", par->family); return ret; - } + } else + allow_conntrack_allocation(par->net); ret = nf_connlabels_get(par->net, info->bit); if (ret < 0) diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c index e5ebc0810675..653ac77b7d51 100644 --- a/net/netfilter/xt_connmark.c +++ b/net/netfilter/xt_connmark.c @@ -137,6 +137,8 @@ static int connmark_mt_check(const struct xt_mtchk_param *par) if (ret < 0) pr_info_ratelimited("cannot load conntrack support for proto=%u\n", par->family); + else + allow_conntrack_allocation(par->net); return ret; } diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c index ea299da24734..d79c4410436a 100644 --- a/net/netfilter/xt_conntrack.c +++ b/net/netfilter/xt_conntrack.c @@ -271,6 +271,8 @@ static int conntrack_mt_check(const struct xt_mtchk_param *par) if (ret < 0) pr_info_ratelimited("cannot load conntrack support for proto=%u\n", par->family); + else + allow_conntrack_allocation(par->net); return ret; } diff --git a/net/netfilter/xt_helper.c b/net/netfilter/xt_helper.c index a5a167f941e0..819b2f2d04a4 100644 --- a/net/netfilter/xt_helper.c +++ b/net/netfilter/xt_helper.c @@ -63,6 +63,7 @@ static int helper_mt_check(const struct xt_mtchk_param *par) return ret; } info->name[sizeof(info->name) - 1] = '\0'; + allow_conntrack_allocation(par->net); return 0; } diff --git a/net/netfilter/xt_ipvs.c b/net/netfilter/xt_ipvs.c index 253c71cc9a63..11ea83b2e72c 100644 --- a/net/netfilter/xt_ipvs.c +++ b/net/netfilter/xt_ipvs.c @@ -164,6 +164,7 @@ static int ipvs_mt_check(const struct xt_mtchk_param *par) return -EINVAL; } + allow_conntrack_allocation(par->net); return 0; } diff --git a/net/netfilter/xt_nat.c b/net/netfilter/xt_nat.c index b4f7bbc3f3ca..abfa9d643f1c 100644 --- a/net/netfilter/xt_nat.c +++ b/net/netfilter/xt_nat.c @@ -16,17 +16,27 @@ static int xt_nat_checkentry_v0(const struct xt_tgchk_param *par) { const struct nf_nat_ipv4_multi_range_compat *mr = par->targinfo; + int ret; if (mr->rangesize != 1) { pr_info_ratelimited("multiple ranges no longer supported\n"); return -EINVAL; } - return nf_ct_netns_get(par->net, par->family); + + ret = nf_ct_netns_get(par->net, par->family); + if (ret == 0) + allow_conntrack_allocation(par->net); + return ret; } static int xt_nat_checkentry(const struct xt_tgchk_param *par) { - return nf_ct_netns_get(par->net, par->family); + int ret; + + ret = nf_ct_netns_get(par->net, par->family); + if (ret == 0) + allow_conntrack_allocation(par->net); + return ret; } static void xt_nat_destroy(const struct xt_tgdtor_param *par) diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c index 5e6459e11605..7e1eb8be4d82 100644 --- a/net/netfilter/xt_socket.c +++ b/net/netfilter/xt_socket.c @@ -15,6 +15,7 @@ #include <net/icmp.h> #include <net/sock.h> #include <net/inet_sock.h> +#include <net/netfilter/nf_conntrack.h> #include <net/netfilter/ipv4/nf_defrag_ipv4.h> #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) @@ -165,6 +166,12 @@ static int socket_mt_enable_defrag(struct net *net, int family) return 0; } +static int socket_mt_v0_check(const struct xt_mtchk_param *par) +{ + allow_conntrack_allocation(par->net); + return 0; +} + static int socket_mt_v1_check(const struct xt_mtchk_param *par) { const struct xt_socket_mtinfo1 *info = (struct xt_socket_mtinfo1 *) par->matchinfo; @@ -179,6 +186,7 @@ static int socket_mt_v1_check(const struct xt_mtchk_param *par) info->flags & ~XT_SOCKET_FLAGS_V1); return -EINVAL; } + allow_conntrack_allocation(par->net); return 0; } @@ -196,6 +204,7 @@ static int socket_mt_v2_check(const struct xt_mtchk_param *par) info->flags & ~XT_SOCKET_FLAGS_V2); return -EINVAL; } + allow_conntrack_allocation(par->net); return 0; } @@ -213,6 +222,7 @@ static int socket_mt_v3_check(const struct xt_mtchk_param *par) info->flags & ~XT_SOCKET_FLAGS_V3); return -EINVAL; } + allow_conntrack_allocation(par->net); return 0; } @@ -230,6 +240,7 @@ static struct xt_match socket_mt_reg[] __read_mostly = { .revision = 0, .family = NFPROTO_IPV4, .match = socket_mt4_v0, + .checkentry = socket_mt_v0_check, .hooks = (1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_IN), .me = THIS_MODULE, diff --git a/net/netfilter/xt_state.c b/net/netfilter/xt_state.c index bbe07b1be9a3..1a2c7f2bd004 100644 --- a/net/netfilter/xt_state.c +++ b/net/netfilter/xt_state.c @@ -43,6 +43,8 @@ static int state_mt_check(const struct xt_mtchk_param *par) if (ret < 0) pr_info_ratelimited("cannot load conntrack support for proto=%u\n", par->family); + else + allow_conntrack_allocation(par->net); return ret; } -- 2.30.2 _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel
