[Devel] [PATCH RHEL7 COMMIT] fence-watchdog: Port: diff-fence-watchdog-add-wdog_tmo-match

Wed, 18 Nov 2015 04:08:42 -0800 

The commit is pushed to "branch-rh7-3.10.0-229.7.2.vz7.9.x-ovz" and will appear 
at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-229.7.2.vz7.9.10
------>
commit a92604e706b122bc06624876ac720b8667c3635a
Author: Pavel Tikhomirov <ptikhomi...@virtuozzo.com>
Date:   Wed Nov 18 15:59:13 2015 +0400

    fence-watchdog: Port: diff-fence-watchdog-add-wdog_tmo-match
    
    fix wdog_tmo_mt and wdog_tmo_mt_check to match prototypes
    
    Author: Dmitry Guryanov
    Email: dgurya...@parallels.com
    Subject: watchdog: add wdog_tmo match
    Date: Fri, 8 Nov 2013 22:38:09 +0400
    
    Add wdog_tmo netfilter match, which returns true if out watchdog
    timeout exceed.
    
    You have to set watchdog action to 'netfilter', so that host won't
    reboot or halt.
    
    Fix for:
    https://jira.sw.ru/browse/PSBM-23253
    
    Dmitry Guryanov (2):
      watchdog: add netfilter action
      watchdog: add wdog_tmo match
    
    This patch description:
    
    Add wdog_tmo match, which could be used to forbid network
    traffic in case of watchdog timeout.
    
    This match doesn't have any parameters, example of usage:
    iptables -A OUTPUT -m wdog_tmo -j DROP
    
    You have to add support of this match to userspace iptables part.
    
    Signed-off-by: Dmitry Guryanov <dgurya...@parallels.com>
    
    Signed-off-by: Pavel Tikhomirov <ptikhomi...@virtuozzo.com>
    Acked-by: Andrew Vagin <ava...@virtuozzo.com>
---
 include/linux/fence-watchdog.h |  1 +
 kernel/fence-watchdog.c        |  6 +++++
 net/netfilter/Kconfig          |  6 +++++
 net/netfilter/Makefile         |  1 +
 net/netfilter/xt_wdog_tmo.c    | 51 ++++++++++++++++++++++++++++++++++++++++++
 5 files changed, 65 insertions(+)

diff --git a/include/linux/fence-watchdog.h b/include/linux/fence-watchdog.h
index b1e61bc..b56afe2 100644
--- a/include/linux/fence-watchdog.h
+++ b/include/linux/fence-watchdog.h
@@ -2,5 +2,6 @@
 #define _LINUX_FENCE_WATCHDOG_H_
 
 inline int fence_wdog_check_timer(void);
+bool fence_wdog_tmo_match(void);
 
 #endif
diff --git a/kernel/fence-watchdog.c b/kernel/fence-watchdog.c
index 0e6b7ec..572ef40 100644
--- a/kernel/fence-watchdog.c
+++ b/kernel/fence-watchdog.c
@@ -84,6 +84,12 @@ inline int fence_wdog_check_timer(void)
        return 0;
 }
 
+bool fence_wdog_tmo_match(void)
+{
+       return get_jiffies_64() > fence_wdog_jiffies64;
+}
+EXPORT_SYMBOL(fence_wdog_tmo_match);
+
 static ssize_t fence_wdog_timer_show(struct kobject *kobj,
                struct kobj_attribute *attr, char *buf)
 {
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 1abf802..2a460c0 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -1410,6 +1410,12 @@ config NETFILTER_XT_MATCH_U32
 
          Details and examples are in the kernel module source.
 
+config NETFILTER_XT_MATCH_WDOG_TMO
+       tristate '"wdog_tmo" watchdog timer match'
+       depends on NETFILTER_ADVANCED && NETFILTER_NETLINK && FENCE_WATCHDOG
+       help
+         This option selects the watchdog timer match module.
+
 endif # NETFILTER_XTABLES
 
 endmenu
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 3c09d98..96faa08 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -165,6 +165,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_STRING) += xt_string.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_TIME) += xt_time.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_U32) += xt_u32.o
+obj-$(CONFIG_NETFILTER_XT_MATCH_WDOG_TMO) += xt_wdog_tmo.o
 
 # ipset
 obj-$(CONFIG_IP_SET) += ipset/
diff --git a/net/netfilter/xt_wdog_tmo.c b/net/netfilter/xt_wdog_tmo.c
new file mode 100644
index 0000000..e6f8cd5
--- /dev/null
+++ b/net/netfilter/xt_wdog_tmo.c
@@ -0,0 +1,51 @@
+/*
+ *  net/netfilter/xt_wdog_tmo.c
+ *
+ *  Copyright (C) 2013, Parallels inc.
+ *  All rights reserved.
+ *
+ */
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/file.h>
+#include <net/sock.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/fence-watchdog.h>
+
+static bool
+wdog_tmo_mt(const struct sk_buff *skb, struct xt_action_param *par)
+{
+       return fence_wdog_tmo_match();
+}
+
+int wdog_tmo_mt_check(const struct xt_mtchk_param *par)
+{
+
+       return ve_is_super(get_exec_env());
+}
+
+static struct xt_match wdog_tmo_mt_reg __read_mostly = {
+               .name       = "wdog_tmo",
+               .revision   = 0,
+               .family     = NFPROTO_UNSPEC,
+               .match      = wdog_tmo_mt,
+               .checkentry = wdog_tmo_mt_check,
+               .matchsize  = 0,
+               .me         = THIS_MODULE,
+};
+
+static int __init wdog_tmo_mt_init(void)
+{
+       return xt_register_match(&wdog_tmo_mt_reg);
+}
+
+static void __exit wdog_tmo_mt_exit(void)
+{
+       xt_unregister_match(&wdog_tmo_mt_reg);
+}
+
+module_init(wdog_tmo_mt_init);
+module_exit(wdog_tmo_mt_exit);
+MODULE_AUTHOR("Dmitry Guryanov <dgurya...@parallels.com>");
+MODULE_DESCRIPTION("Xtables: fence watchdog timeout matching");
+MODULE_LICENSE("GPL");
_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel

Reply via email to