[Devel] [PATCH RHEL7 COMMIT] vzprivnet: Allow internet access for weak private networks

Thu, 24 Mar 2016 09:06:18 -0700 

The commit is pushed to "branch-rh7-3.10.0-327.10.1.vz7.12.x-ovz" and will 
appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-327.10.1.vz7.12.3
------>
commit fe7fe7c40308523be30aa9990f8c4a7ea568b509
Author: Pavel Tikhomirov <ptikhomi...@virtuozzo.com>
Date:   Thu Mar 24 19:53:40 2016 +0400

    vzprivnet: Allow internet access for weak private networks
    
    Port diff-vzprivnet-kill-weak-to-weak-communications
      VZPRIVNET: allow internet access to weak private networks
    
      All communications between weak private networks will be dropped from
      now.
      Except internet connection packets.
    
      Jira: https://jira.sw.ru/browse/PCLIN-28916
    
      Ported from rhel5
    
      Signed-off-by: Stanislav Kinsbursky <skinsbur...@parallels.com>
    
    Signed-off-by: Pavel Tikhomirov <ptikhomi...@virtuozzo.com>
---
 include/linux/vzprivnet.h          | 1 +
 net/ipv4/netfilter/ip_vzprivnet.c  | 4 ++--
 net/ipv6/netfilter/ip6_vzprivnet.c | 4 ++--
 3 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/include/linux/vzprivnet.h b/include/linux/vzprivnet.h
index fb345db..3b6ee0e 100644
--- a/include/linux/vzprivnet.h
+++ b/include/linux/vzprivnet.h
@@ -16,5 +16,6 @@ void vzprivnet_unreg_show(vzprivnet_show_fn);
 
 #define VZPRIVNET_STRONG       0
 #define VZPRIVNET_WEAK         1
+#define VZPRIVNET_INET         2
 
 #endif
diff --git a/net/ipv4/netfilter/ip_vzprivnet.c 
b/net/ipv4/netfilter/ip_vzprivnet.c
index 2c72dd3..2045951 100644
--- a/net/ipv4/netfilter/ip_vzprivnet.c
+++ b/net/ipv4/netfilter/ip_vzprivnet.c
@@ -191,7 +191,7 @@ static struct vzprivnet_range *legacy_next(struct 
vzprivnet_range *p)
 
 static struct vzprivnet vzpriv_internet = {
        .nmask = 0,
-       .weak = VZPRIVNET_WEAK
+       .weak = VZPRIVNET_INET
 };
 
 static struct vzprivnet *vzpriv_search(u32 ip)
@@ -229,7 +229,7 @@ static noinline unsigned int vzprivnet_classify(struct 
sk_buff *skb, int type)
                else
                        res = VZPRIV_MARK_DROP;
        } else {
-               if (p1->weak && p2->weak)
+               if (p1->weak + p2->weak >= 3)
                        res = VZPRIV_MARK_ACCEPT;
                else
                        res = VZPRIV_MARK_DROP;
diff --git a/net/ipv6/netfilter/ip6_vzprivnet.c 
b/net/ipv6/netfilter/ip6_vzprivnet.c
index 9d02cb5..ff8ac77 100644
--- a/net/ipv6/netfilter/ip6_vzprivnet.c
+++ b/net/ipv6/netfilter/ip6_vzprivnet.c
@@ -120,7 +120,7 @@ static struct vzprivnet_entry *vzprivnet6_lookup(u32 *ip)
 }
 
 struct vzprivnet internet = {
-       .weak = VZPRIVNET_WEAK,
+       .weak = VZPRIVNET_INET,
 };
 
 static inline struct vzprivnet *vzprivnet6_lookup_net(u32 *ip)
@@ -334,7 +334,7 @@ static unsigned int vzprivnet6_hook(struct sk_buff *skb, 
int can_be_bridge)
 
        if (src == dst)
                verdict = NF_ACCEPT;
-       else if (src->weak && dst->weak)
+       else if (src->weak + dst->weak >= 3)
                verdict = NF_ACCEPT;
 
        read_unlock(&vzpriv6lock);
_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel

Reply via email to