Port diff-ve-netfilter-ipset-prohibit-ipset-from-the-inside-CT from 2.6.32:
Currently a CT owner can configure ipset rules which are not virtualized => affect the whole Hardware Node. We are going to virtualize ipset in PCS7 (3.10-x, PSBM-27793), let's prohibit ipset configuration from inside a CT while it's not done. https://jira.sw.ru/browse/PSBM-27792 https://bugzilla.openvz.org/show_bug.cgi?id=2644 Signed-off-by: Kirill Tkhai <ktk...@parallels.com> --- net/netfilter/nfnetlink.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c index e17ad78..07e040f 100644 --- a/net/netfilter/nfnetlink.c +++ b/net/netfilter/nfnetlink.c @@ -367,7 +367,9 @@ static void nfnetlink_rcv(struct sk_buff *skb) skb->len < nlh->nlmsg_len) return; - if (!ns_capable(net->user_ns, CAP_VE_NET_ADMIN)) { + if (!ns_capable(net->user_ns, CAP_VE_NET_ADMIN) || + (!ns_capable(net->user_ns, CAP_VE_NET_ADMIN) && + NFNL_SUBSYS_ID(nlh->nlmsg_type) == NFNL_SUBSYS_IPSET)) { netlink_ack(skb, nlh, -EPERM); return; } _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel