[Devel] [PATCH RHEL7 COMMIT] ve/kmod: Add rules for autoloading (new) nf_tables

Fri, 29 May 2015 01:07:18 -0700 

The commit is pushed to "branch-rh7-3.10.0-123.1.2-ovz" and will appear at 
https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-123.1.2.vz7.5.7
------>
commit 5f6dbce004ffb21b500d930b46d2b85287619f6d
Author: Kirill Tkhai <ktk...@odin.com>
Date:   Fri May 29 12:01:52 2015 +0400

    ve/kmod: Add rules for autoloading (new) nf_tables
    
    nf_tables is a new netfilter table. Add autoload permittions
    like we have for {ip,ip6,x}tables.
    
    https://jira.sw.ru/browse/PSBM-33631
    
    Signed-off-by: Kirill Tkhai <ktk...@odin.com>
    Reviewed-by: Cyrill Gorcunov <gorcu...@odin.com>
---
 kernel/kmod.c | 47 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)

diff --git a/kernel/kmod.c b/kernel/kmod.c
index b77bbc5..2daabea 100644
--- a/kernel/kmod.c
+++ b/kernel/kmod.c
@@ -267,9 +267,52 @@ static struct {
        { "ip_conntrack",       VE_NF_CONNTRACK|VE_IP_CONNTRACK },
        { "nf_conntrack-10",    VE_NF_CONNTRACK|VE_IP_CONNTRACK },
        { "nf_conntrack_ipv6",  VE_NF_CONNTRACK|VE_IP_CONNTRACK },
+
+       { "nft-set",            VE_IP_IPTABLES                  },
+       { "nft-afinfo-2",       VE_IP_IPTABLES                  }, /* IPV4 */
+       { "nft-afinfo-3",       VE_IP_IPTABLES                  }, /* ARP  */
+       { "nft-afinfo-10",      VE_IP_IPTABLES6                 }, /* IPV6 */
+
+       { "nft-chain-2-nat",    VE_IP_IPTABLES|VE_IP_NAT        },
+       { "nft-chain-2-route",  VE_IP_IPTABLES                  },
+
+       { "nft-chain-10-nat",   VE_IP_IPTABLES6|VE_IP_NAT       },
+       { "nft-chain-10-route", VE_IP_IPTABLES6         },
+
+       { "nft-expr-2-reject",  VE_IP_IPTABLES                  },
+       { "nft-expr-10-reject", VE_IP_IPTABLES6                 },
 };
 
 /*
+ *  Check if module named nft-expr-name is allowed.
+ *  We pass only tail name part to this function.
+ */
+static bool nft_expr_allowed(const char *name)
+{
+       u64 permitted = get_exec_env()->ipt_mask;
+
+       if (!name[0])
+               return false;
+
+       if (!strcmp(name, "ct"))
+               return mask_ipt_allow(permitted, VE_IP_CONNTRACK);
+
+       if (!strcmp(name, "nat"))
+               return mask_ipt_allow(permitted, VE_IP_NAT);
+
+       /*
+        * We are interested in modules like nft-expr-xxx.
+        * Expressions like nft-expr-xxx-yyy currently are
+        * handled in ve0_am table. So expr does not cointain
+        * minus
+        */
+       if (!strchr(name, '-'))
+               return mask_ipt_allow(permitted, VE_IP_IPTABLES) |
+                      mask_ipt_allow(permitted, VE_IP_IPTABLES6);
+       return false;
+}
+
+/*
  * module_payload_allowed - check if module functionality is allowed
  *                         to be used inside current virtual enviroment.
  *
@@ -310,6 +353,10 @@ bool module_payload_allowed(const char *module)
        if (!strncmp("ebt_", module, 4))
                return true;
 
+       /* The rest of nft- modules */
+       if (!strncmp("nft-expr-", module, 9))
+               return nft_expr_allowed(module + 9);
+
        return false;
 }
 #endif /* CONFIG_VE_IPTABLES */
_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel

Reply via email to