The commit is pushed to "branch-rh9-5.14.vz9.1.x-ovz" and will appear at
https://src.openvz.org/scm/ovz/vzkernel.git
after rh9-5.14.0-4.vz9.10.12
------>
commit 122051db0dbe194a2822a8f050c60cd405f4541d
Author: Stanislav Kinsburskiy <skinsbur...@virtuozzo.com>
Date: Wed Oct 20 11:39:32 2021 +0300
ve/netfilter: Send iptables/netfilter kernel error messages to Containers
Rebasing and splitting netfilters sybsystem
(port 66-diff-ve-net-netfilter-combined).
Part 1.
https://jira.sw.ru/browse/PSBM-18322
Signed-off-by: Kirill Tkhai <ktk...@parallels.com>
khorenko@: rebase to kernel-3.10.0-229.7.2.el7:
* hunk for include/net/netfilter/xt_log.h has been dropped
cause the file absents now
* couple of CAP_NET_ADMIN -> CAP_NET_ADMIN + CAP_VE_NET_ADMIN
replacements have been dropped because Initial patch
already have proper version
+++
ve/net/printk: net_veboth_ratelimited introduced
net_veboth_ratelimited is required to save net-ratelimited messages
both into host and into containers dmesg buffers
Signed-off-by: Vasily Averin <v...@openvz.org>
Acked-by: Kirill Tkhai <ktk...@odin.com>
==============================================
net: remove CAP_VE_NET_ADMIN from "ve/netfilter: Basic ve transformations"
https://jira.sw.ru/browse/PSBM-39077
Signed-off-by: Andrew Vagin <ava...@virtuozzo.com>
Reviewed-by: Vladimir Davydov <vdavy...@virtuozzo.com>
(cherry picked from vz7 commit 522bec3451a3 ("ve/netfilter: Basic ve
transformations")
VZ 8 rebase part https://jira.sw.ru/browse/PSBM-127783
Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalit...@virtuozzo.com>
khorenko@:
1. As we've dropped iptables mask in vz8, it's not possible that some
xt_table is absent in a Container => dropped ve_xt_table_forbidden()
and its users.
2. As a result the patch degrades into just redirects of error messages
to VE log + some compat tweak in compat_do_ipt_set_ctl().
(cherry-picked from vz8 commit 0c548f7a4989 ("ve/netfilter: Send
iptables/netfilter kernel error messages to Containers"))
Signed-off-by: Nikita Yushchenko <nikita.yushche...@virtuozzo.com>
---
net/ipv4/netfilter/ip_tables.c | 7 +++--
net/ipv4/netfilter/ipt_REJECT.c | 4 +--
net/netfilter/x_tables.c | 70 +++++++++++++++++++++--------------------
net/netfilter/xt_TCPMSS.c | 12 ++++---
net/netfilter/xt_limit.c | 4 +--
5 files changed, 52 insertions(+), 45 deletions(-)
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 4b38026f429b..1bb2855ae956 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -388,9 +388,12 @@ mark_source_chains(const struct xt_table_info *newinfo,
= (void *)ipt_get_target_c(e);
int visited = e->comefrom & (1 << hook);
- if (e->comefrom & (1 << NF_INET_NUMHOOKS))
+ if (e->comefrom & (1 << NF_INET_NUMHOOKS)) {
+ ve_printk(VE_LOG, "iptables: loop hook %u pos "
+ "%u %08X.\n",
+ hook, pos, e->comefrom);
return 0;
-
+ }
e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS));
/* Unconditional return/END. */
diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c
index 4b8840734762..1138b583ef58 100644
--- a/net/ipv4/netfilter/ipt_REJECT.c
+++ b/net/ipv4/netfilter/ipt_REJECT.c
@@ -72,13 +72,13 @@ static int reject_tg_check(const struct xt_tgchk_param *par)
const struct ipt_entry *e = par->entryinfo;
if (rejinfo->with == IPT_ICMP_ECHOREPLY) {
- pr_info_ratelimited("ECHOREPLY no longer supported.\n");
+ ve_printk_ratelimited(VE_LOG, "ECHOREPLY no longer
supported.\n");
return -EINVAL;
} else if (rejinfo->with == IPT_TCP_RESET) {
/* Must specify that it's a TCP packet */
if (e->ip.proto != IPPROTO_TCP ||
(e->ip.invflags & XT_INV_PROTO)) {
- pr_info_ratelimited("TCP_RESET invalid for non-tcp\n");
+ ve_printk_ratelimited(VE_LOG, "TCP_RESET invalid for
non-tcp\n");
return -EINVAL;
}
}
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 1b3f3577c3a7..7eb2a98ec410 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -474,35 +474,36 @@ int xt_check_match(struct xt_mtchk_param *par,
* ebt_among is exempt from centralized matchsize checking
* because it uses a dynamic-size data set.
*/
- pr_err_ratelimited("%s_tables: %s.%u match: invalid size %u
(kernel) != (user) %u\n",
- xt_prefix[par->family], par->match->name,
- par->match->revision,
- XT_ALIGN(par->match->matchsize), size);
+ ve_printk_ratelimited(VE_LOG, "%s_tables: %s.%u match: invalid
size "
+ "%u (kernel) != (user) %u\n",
+ xt_prefix[par->family], par->match->name,
+ par->match->revision,
+ XT_ALIGN(par->match->matchsize), size);
return -EINVAL;
}
if (par->match->table != NULL &&
strcmp(par->match->table, par->table) != 0) {
- pr_info_ratelimited("%s_tables: %s match: only valid in %s
table, not %s\n",
- xt_prefix[par->family], par->match->name,
- par->match->table, par->table);
+ ve_printk_ratelimited(VE_LOG, "%s_tables: %s match: only valid
in %s table, not %s\n",
+ xt_prefix[par->family], par->match->name,
+ par->match->table, par->table);
return -EINVAL;
}
if (par->match->hooks && (par->hook_mask & ~par->match->hooks) != 0) {
char used[64], allow[64];
- pr_info_ratelimited("%s_tables: %s match: used from hooks %s,
but only valid from %s\n",
- xt_prefix[par->family], par->match->name,
- textify_hooks(used, sizeof(used),
- par->hook_mask, par->family),
- textify_hooks(allow, sizeof(allow),
- par->match->hooks,
- par->family));
+ ve_printk_ratelimited(VE_LOG, "%s_tables: %s match: used from
hooks %s, but only "
+ "valid from %s\n",
+ xt_prefix[par->family], par->match->name,
+ textify_hooks(used, sizeof(used), par->hook_mask,
+ par->family),
+ textify_hooks(allow, sizeof(allow), par->match->hooks,
+ par->family));
return -EINVAL;
}
if (par->match->proto && (par->match->proto != proto || inv_proto)) {
- pr_info_ratelimited("%s_tables: %s match: only valid for
protocol %u\n",
- xt_prefix[par->family], par->match->name,
- par->match->proto);
+ ve_printk_ratelimited(VE_LOG, "%s_tables: %s match: only valid
for protocol %u\n",
+ xt_prefix[par->family], par->match->name,
+ par->match->proto);
return -EINVAL;
}
if (par->match->checkentry != NULL) {
@@ -988,35 +989,36 @@ int xt_check_target(struct xt_tgchk_param *par,
int ret;
if (XT_ALIGN(par->target->targetsize) != size) {
- pr_err_ratelimited("%s_tables: %s.%u target: invalid size %u
(kernel) != (user) %u\n",
- xt_prefix[par->family], par->target->name,
- par->target->revision,
- XT_ALIGN(par->target->targetsize), size);
+ ve_printk_ratelimited(VE_LOG, "%s_tables: %s.%u target: invalid
size "
+ "%u (kernel) != (user) %u\n",
+ xt_prefix[par->family], par->target->name,
+ par->target->revision,
+ XT_ALIGN(par->target->targetsize), size);
return -EINVAL;
}
if (par->target->table != NULL &&
strcmp(par->target->table, par->table) != 0) {
- pr_info_ratelimited("%s_tables: %s target: only valid in %s
table, not %s\n",
- xt_prefix[par->family], par->target->name,
- par->target->table, par->table);
+ ve_printk_ratelimited(VE_LOG, "%s_tables: %s target: only valid
in %s table, not %s\n",
+ xt_prefix[par->family], par->target->name,
+ par->target->table, par->table);
return -EINVAL;
}
if (par->target->hooks && (par->hook_mask & ~par->target->hooks) != 0) {
char used[64], allow[64];
- pr_info_ratelimited("%s_tables: %s target: used from hooks %s,
but only usable from %s\n",
- xt_prefix[par->family], par->target->name,
- textify_hooks(used, sizeof(used),
- par->hook_mask, par->family),
- textify_hooks(allow, sizeof(allow),
- par->target->hooks,
- par->family));
+ ve_printk_ratelimited(VE_LOG, "%s_tables: %s target: used from
hooks %s, but only "
+ "usable from %s\n",
+ xt_prefix[par->family], par->target->name,
+ textify_hooks(used, sizeof(used), par->hook_mask,
+ par->family),
+ textify_hooks(allow, sizeof(allow), par->target->hooks,
+ par->family));
return -EINVAL;
}
if (par->target->proto && (par->target->proto != proto || inv_proto)) {
- pr_info_ratelimited("%s_tables: %s target: only valid for
protocol %u\n",
- xt_prefix[par->family], par->target->name,
- par->target->proto);
+ ve_printk_ratelimited(VE_LOG, "%s_tables: %s target: only valid
for protocol %u\n",
+ xt_prefix[par->family], par->target->name,
+ par->target->proto);
return -EINVAL;
}
if (par->target->checkentry != NULL) {
diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
index 122db9fbb9f4..61a0c00af518 100644
--- a/net/netfilter/xt_TCPMSS.c
+++ b/net/netfilter/xt_TCPMSS.c
@@ -105,7 +105,7 @@ tcpmss_mangle_packet(struct sk_buff *skb,
unsigned int min_mtu = min(dst_mtu(skb_dst(skb)), in_mtu);
if (min_mtu <= minlen) {
- net_err_ratelimited("unknown or invalid path-MTU
(%u)\n",
+ net_velog_ratelimited("unknown or invalid path-MTU
(%u)\n",
min_mtu);
return -1;
}
@@ -270,7 +270,8 @@ static int tcpmss_tg4_check(const struct xt_tgchk_param
*par)
(par->hook_mask & ~((1 << NF_INET_FORWARD) |
(1 << NF_INET_LOCAL_OUT) |
(1 << NF_INET_POST_ROUTING))) != 0) {
- pr_info_ratelimited("path-MTU clamping only supported in
FORWARD, OUTPUT and POSTROUTING hooks\n");
+ ve_printk_ratelimited(VE_LOG, "path-MTU clamping only supported
in "
+ "FORWARD, OUTPUT and POSTROUTING hooks\n");
return -EINVAL;
}
if (par->nft_compat)
@@ -279,7 +280,7 @@ static int tcpmss_tg4_check(const struct xt_tgchk_param
*par)
xt_ematch_foreach(ematch, e)
if (find_syn_match(ematch))
return 0;
- pr_info_ratelimited("Only works on TCP SYN packets\n");
+ ve_printk_ratelimited(VE_LOG, "Only works on TCP SYN packets\n");
return -EINVAL;
}
@@ -294,7 +295,8 @@ static int tcpmss_tg6_check(const struct xt_tgchk_param
*par)
(par->hook_mask & ~((1 << NF_INET_FORWARD) |
(1 << NF_INET_LOCAL_OUT) |
(1 << NF_INET_POST_ROUTING))) != 0) {
- pr_info_ratelimited("path-MTU clamping only supported in
FORWARD, OUTPUT and POSTROUTING hooks\n");
+ ve_printk_ratelimited(VE_LOG, "path-MTU clamping only supported
in "
+ "FORWARD, OUTPUT and POSTROUTING hooks\n");
return -EINVAL;
}
if (par->nft_compat)
@@ -303,7 +305,7 @@ static int tcpmss_tg6_check(const struct xt_tgchk_param
*par)
xt_ematch_foreach(ematch, e)
if (find_syn_match(ematch))
return 0;
- pr_info_ratelimited("Only works on TCP SYN packets\n");
+ ve_printk_ratelimited(VE_LOG, "Only works on TCP SYN packets\n");
return -EINVAL;
}
#endif
diff --git a/net/netfilter/xt_limit.c b/net/netfilter/xt_limit.c
index 8b4fd27857f2..9bcb95b3cce0 100644
--- a/net/netfilter/xt_limit.c
+++ b/net/netfilter/xt_limit.c
@@ -110,8 +110,8 @@ static int limit_mt_check(const struct xt_mtchk_param *par)
/* Check for overflow. */
if (r->burst == 0
|| user2credits(r->avg * r->burst) < user2credits(r->avg)) {
- pr_info_ratelimited("Overflow, try lower: %u/%u\n",
- r->avg, r->burst);
+ ve_printk_ratelimited(VE_LOG, "Overflow, try lower: %u/%u\n",
+ r->avg, r->burst);
return -ERANGE;
}
_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel
