The commit is pushed to "branch-rh7-3.10.0-229.7.2.vz7.9.x-ovz" and will appear
at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-229.7.2.vz7.9.2
------>
commit 36110148cbf05a3e9f18b079fda21abeacc255ef
Author: Stanislav Kinsburskiy <skinsbur...@virtuozzo.com>
Date: Tue Oct 27 19:47:58 2015 +0400
ve/nf_conntrack: expose "nf_conntrack_max" in containers
Series:
This series brings to vz7 all the nf_conntrack sysctl's,
which are available in vz6.
https://jira.sw.ru/browse/PSBM-40044
This sysctl table contains only one entry: "/proc/sys/net/nf_conntrack_max".
This is now visible inside ct.
However, have to say, that "/proc/sys/net/netfilter/nf_conntrack_max" and
friends (despite on they are containerized) arebehind init_user_ns.
Signed-off-by: Stanislav Kinsburskiy <skinsbur...@virtuozzo.com>
Reviewed-by: Kirill Tkhai <ktk...@virtuozzo.com>
---
include/net/netns/conntrack.h | 1 +
net/netfilter/nf_conntrack_standalone.c | 71 ++++++++++++++++++++++++---------
2 files changed, 53 insertions(+), 19 deletions(-)
diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h
index 0504dc6..4d7de37 100644
--- a/include/net/netns/conntrack.h
+++ b/include/net/netns/conntrack.h
@@ -78,6 +78,7 @@ struct netns_ct {
unsigned int expect_count;
unsigned int expect_max;
#ifdef CONFIG_SYSCTL
+ struct ctl_table_header *netfilter_header;
struct ctl_table_header *sysctl_header;
struct ctl_table_header *acct_sysctl_header;
struct ctl_table_header *tstamp_sysctl_header;
diff --git a/net/netfilter/nf_conntrack_standalone.c
b/net/netfilter/nf_conntrack_standalone.c
index d1915e5..5de29af 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -412,8 +412,6 @@ static void nf_conntrack_standalone_fini_proc(struct net
*net)
static int log_invalid_proto_min = 0;
static int log_invalid_proto_max = 255;
-static struct ctl_table_header *nf_ct_netfilter_header;
-
static struct ctl_table nf_ct_sysctl_table[] = {
{
.procname = "nf_conntrack_max",
@@ -492,6 +490,42 @@ static int nf_conntrack_hide_sysctl(struct net *net)
return net->user_ns != net->owner_ve->init_cred->user_ns;
}
+static int nf_conntrack_netfilter_init_sysctl(struct net *net)
+{
+ struct ctl_table *table;
+
+ table = kmemdup(nf_ct_netfilter_table, sizeof(nf_ct_netfilter_table),
+ GFP_KERNEL);
+ if (!table)
+ goto out_kmemdup;
+
+ table[0].data = &net->ct.max;
+
+ /* Don't export sysctls to unprivileged users */
+ if (nf_conntrack_hide_sysctl(net))
+ table[0].procname = NULL;
+
+ net->ct.netfilter_header = register_net_sysctl(net, "net", table);
+ if (!net->ct.netfilter_header)
+ goto out_unregister_netfilter;
+
+ return 0;
+
+out_unregister_netfilter:
+ kfree(table);
+out_kmemdup:
+ return -ENOMEM;
+}
+
+static void nf_conntrack_netfilter_fini_sysctl(struct net *net)
+{
+ struct ctl_table *table;
+
+ table = net->ct.netfilter_header->ctl_table_arg;
+ unregister_net_sysctl_table(net->ct.netfilter_header);
+ kfree(table);
+}
+
static int nf_conntrack_standalone_init_sysctl(struct net *net)
{
struct ctl_table *table;
@@ -539,6 +573,15 @@ static void nf_conntrack_standalone_fini_sysctl(struct net
*net)
kfree(table);
}
#else
+static int nf_conntrack_netfilter_init_sysctl(struct net *net)
+{
+ return 0;
+}
+
+static void nf_conntrack_netfilter_fini_sysctl(struct net *net)
+{
+}
+
static int nf_conntrack_standalone_init_sysctl(struct net *net)
{
return 0;
@@ -567,8 +610,14 @@ static int nf_conntrack_pernet_init(struct net *net)
if (ret < 0)
goto out_sysctl;
+ ret = nf_conntrack_netfilter_init_sysctl(net);
+ if (ret < 0)
+ goto out_netfilter_sysctl;
+
return 0;
+out_netfilter_sysctl:
+ nf_conntrack_standalone_fini_sysctl(net);
out_sysctl:
nf_conntrack_standalone_fini_proc(net);
out_proc:
@@ -582,6 +631,7 @@ static void nf_conntrack_pernet_exit(struct list_head
*net_exit_list)
struct net *net;
list_for_each_entry(net, net_exit_list, exit_list) {
+ nf_conntrack_netfilter_fini_sysctl(net);
nf_conntrack_standalone_fini_sysctl(net);
nf_conntrack_standalone_fini_proc(net);
}
@@ -611,16 +661,6 @@ static int __init nf_conntrack_standalone_init(void)
if (ret < 0)
goto out_start;
-#ifdef CONFIG_SYSCTL
- nf_ct_netfilter_header =
- register_net_sysctl(&init_net, "net", nf_ct_netfilter_table);
- if (!nf_ct_netfilter_header) {
- pr_err("nf_conntrack: can't register to sysctl.\n");
- ret = -ENOMEM;
- goto out_sysctl;
- }
-#endif
-
ret = register_pernet_subsys(&nf_conntrack_net_ops);
if (ret < 0)
goto out_pernet;
@@ -629,10 +669,6 @@ static int __init nf_conntrack_standalone_init(void)
return 0;
out_pernet:
-#ifdef CONFIG_SYSCTL
- unregister_net_sysctl_table(nf_ct_netfilter_header);
-out_sysctl:
-#endif
nf_conntrack_cleanup_end();
out_start:
return ret;
@@ -642,9 +678,6 @@ static void __exit nf_conntrack_standalone_fini(void)
{
nf_conntrack_cleanup_start();
unregister_pernet_subsys(&nf_conntrack_net_ops);
-#ifdef CONFIG_SYSCTL
- unregister_net_sysctl_table(nf_ct_netfilter_header);
-#endif
nf_conntrack_cleanup_end();
}
_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel
