From: Kirill Gorkunov <gorcu...@virtuozzo.com> If we load gre module on the node, say we need gre transport on the node for some reason, this will affect containers -- they won't be checkpointable (due to lack of support in userspace) until the module is unloaded from the node again. We have a special feature bit to control this tansport creation, lets start consideing its value.
https://jira.sw.ru/browse/PSBM-84241 Signed-off-by: Cyrill Gorcunov <gorcu...@virtuozzo.com> Rebased to vz8: - With ms commit 64bc17811b72 ("ipv4: speedup ipv6 tunnels dismantle") tunnels started to use ops->exit_batch with ip_tunnel_delete_nets instead of ip_tunnel_delete_net and ops->exit, which this commit modified With rebase commit 70e5af2252244 ("net: Make ipip feature optional") ip_tunnel_delete_nets is aware of itn being NULL in some net namespaces. So we can safely drop op->exit hunks. - Use net_generic_free instead of net_assign_generic for the same reasons as 70e5af2252244 ("net: Make ipip feature optional") (cherry-picked from vz7 commit 2db99ab7bfe2 ("net/gre: Consider VE_FEATURE_IPGRE on new net creation")) Signed-off-by: Andrey Zhadchenko <andrey.zhadche...@virtuozzo.com> (cherry picked from vz8 commit 3190cd175f4a44667e4bdf31430613928450e06a) Signed-off-by: Andrey Zhadchenko <andrey.zhadche...@virtuozzo.com> --- include/uapi/linux/vzcalluser.h | 2 +- net/ipv4/ip_gre.c | 20 ++++++++++++++++++++ net/ipv4/ip_tunnel.c | 4 ++++ net/ipv6/ip6_gre.c | 28 ++++++++++++++++++++++++++++ 4 files changed, 53 insertions(+), 1 deletion(-) diff --git a/include/uapi/linux/vzcalluser.h b/include/uapi/linux/vzcalluser.h index 6ae1853..282b2b8 100644 --- a/include/uapi/linux/vzcalluser.h +++ b/include/uapi/linux/vzcalluser.h @@ -44,7 +44,7 @@ struct vzctl_ve_configure { #define VE_FEATURE_SIT (1ULL << 3) #define VE_FEATURE_IPIP (1ULL << 4) #define VE_FEATURE_PPP (1ULL << 5) -#define VE_FEATURE_IPGRE (1ULL << 6) /* deprecated */ +#define VE_FEATURE_IPGRE (1ULL << 6) #define VE_FEATURE_BRIDGE (1ULL << 7) #define VE_FEATURE_NFSD (1ULL << 8) diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c index 87a682b..b1087ee 100644 --- a/net/ipv4/ip_gre.c +++ b/net/ipv4/ip_gre.c @@ -45,6 +45,9 @@ #include <net/dst_metadata.h> #include <net/erspan.h> +#include <uapi/linux/vzcalluser.h> +#include <linux/ve.h> + /* Problems & solutions -------------------- @@ -1018,6 +1021,12 @@ static int ipgre_tunnel_init(struct net_device *dev) static int __net_init ipgre_init_net(struct net *net) { +#ifdef CONFIG_VE + if (!(net->owner_ve->features & VE_FEATURE_IPGRE)) { + net_generic_free(net, ipgre_net_id); + return 0; + } +#endif return ip_tunnel_init_net(net, ipgre_net_id, &ipgre_link_ops, NULL); } @@ -1336,6 +1345,11 @@ static void ipgre_tap_setup(struct net_device *dev) { struct ip_tunnel_encap ipencap; +#ifdef CONFIG_VE + if (!(dev_net(dev)->owner_ve->features & VE_FEATURE_IPGRE)) + return -EACCES; +#endif + if (ipgre_netlink_encap_parms(data, &ipencap)) { struct ip_tunnel *t = netdev_priv(dev); int err = ip_tunnel_encap_setup(t, &ipencap); @@ -1680,6 +1694,12 @@ struct net_device *gretap_fb_dev_create(struct net *net, const char *name, static int __net_init ipgre_tap_init_net(struct net *net) { +#ifdef CONFIG_VE + if (!(net->owner_ve->features & VE_FEATURE_IPGRE)) { + net_generic_free(net, gre_tap_net_id); + return 0; + } +#endif return ip_tunnel_init_net(net, gre_tap_net_id, &ipgre_tap_ops, "gretap0"); } diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c index 13efb32..10d231b 100644 --- a/net/ipv4/ip_tunnel.c +++ b/net/ipv4/ip_tunnel.c @@ -90,6 +90,10 @@ struct ip_tunnel *ip_tunnel_lookup(struct ip_tunnel_net *itn, struct net_device *ndev; unsigned int hash; +#ifdef CONFIG_VE + if (!itn) /* no VE_FEATURE_IPGRE */ + return NULL; +#endif hash = ip_tunnel_hash(key, remote); head = &itn->tunnels[hash]; diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c index 454a4a2..3d06e3c 100644 --- a/net/ipv6/ip6_gre.c +++ b/net/ipv6/ip6_gre.c @@ -29,6 +29,7 @@ #include <linux/hash.h> #include <linux/if_tunnel.h> #include <linux/ip6_tunnel.h> +#include <linux/ve.h> #include <net/sock.h> #include <net/ip.h> @@ -53,6 +54,7 @@ #include <net/erspan.h> #include <net/dst_metadata.h> +#include <uapi/linux/vzcalluser.h> static bool log_ecn_error = true; module_param(log_ecn_error, bool, 0644); @@ -129,6 +131,11 @@ static struct ip6_tnl *ip6gre_tunnel_lookup(struct net_device *dev, int score, cand_score = 4; struct net_device *ndev; +#ifdef CONFIG_VE + if (!ign) /* no VE_FEATURE_IPGRE */ + return NULL; +#endif + for_each_ip_tunnel_rcu(t, ign->tunnels_r_l[h0 ^ h1]) { if (!ipv6_addr_equal(local, &t->parms.laddr) || !ipv6_addr_equal(remote, &t->parms.raddr) || @@ -1555,6 +1562,11 @@ static void ip6gre_destroy_tunnels(struct net *net, struct list_head *head) struct net_device *dev, *aux; int prio; +#ifdef CONFIG_VE + if (!ign) /* no VE_FEATURE_IPGRE */ + return; +#endif + for_each_netdev_safe(net, dev, aux) if (dev->rtnl_link_ops == &ip6gre_link_ops || dev->rtnl_link_ops == &ip6gre_tap_ops || @@ -1587,6 +1599,13 @@ static int __net_init ip6gre_init_net(struct net *net) struct net_device *ndev; int err; +#ifdef CONFIG_VE + if (!(net->owner_ve->features & VE_FEATURE_IPGRE)) { + net_generic_free(net, ip6gre_net_id); + return 0; + } +#endif + if (!net_has_fallback_tunnels(net)) return 0; ndev = alloc_netdev(sizeof(struct ip6_tnl), "ip6gre0", @@ -1967,6 +1986,15 @@ static int ip6gre_newlink_common(struct net *src_net, struct net_device *dev, struct ip6_tnl *nt; struct ip_tunnel_encap ipencap; int err; +#ifdef CONFIG_VE + struct net *net = dev_net(dev); + struct ip6gre_net *ign; + + ign = net_generic(net, ip6gre_net_id); + + if (!ign) /* no VE_FEATURE_IPGRE */ + return -EACCES; +#endif nt = netdev_priv(dev); -- 1.8.3.1 _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel
