The commit is pushed to "branch-rh7-3.10.0-327.28.2.vz7.17.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git after rh7-3.10.0-327.28.2.vz7.17.5 ------> commit ea69e57dd11d6ab6cd2fefbf64993228cdcd002e Author: Kirill Tkhai <ktk...@virtuozzo.com> Date: Tue Sep 13 13:09:57 2016 +0400
net: Mark conntrack users in xtables Allow conntracks to be allocated in case of these rules are inserted. https://jira.sw.ru/browse/PSBM-51050 Signed-off-by: Kirill Tkhai <ktk...@virtuozzo.com> Reviewed-by: Andrei Vagin <ava...@virtuozzo.com> --- net/ipv4/netfilter/ipt_CLUSTERIP.c | 2 ++ net/ipv4/netfilter/ipt_MASQUERADE.c | 1 + net/ipv4/netfilter/ipt_SYNPROXY.c | 6 +++++- net/ipv6/netfilter/ip6t_MASQUERADE.c | 1 + net/ipv6/netfilter/ip6t_SYNPROXY.c | 6 +++++- net/netfilter/xt_CONNSECMARK.c | 2 ++ net/netfilter/xt_HMARK.c | 1 + net/netfilter/xt_NETMAP.c | 2 ++ net/netfilter/xt_REDIRECT.c | 2 ++ net/netfilter/xt_cluster.c | 1 + net/netfilter/xt_connbytes.c | 2 ++ net/netfilter/xt_connlabel.c | 3 ++- net/netfilter/xt_connlimit.c | 2 ++ net/netfilter/xt_connmark.c | 3 +++ net/netfilter/xt_conntrack.c | 2 ++ net/netfilter/xt_helper.c | 1 + net/netfilter/xt_ipvs.c | 1 + net/netfilter/xt_nat.c | 9 +++++++++ net/netfilter/xt_socket.c | 9 +++++++++ net/netfilter/xt_state.c | 2 ++ 20 files changed, 55 insertions(+), 3 deletions(-) diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c index 5798d53..84e05cd 100644 --- a/net/ipv4/netfilter/ipt_CLUSTERIP.c +++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c @@ -418,6 +418,8 @@ static int clusterip_tg_check(const struct xt_tgchk_param *par) if (ret < 0) pr_info("cannot load conntrack support for proto=%u\n", par->family); + else + allow_conntrack_allocation(par->net); return ret; } diff --git a/net/ipv4/netfilter/ipt_MASQUERADE.c b/net/ipv4/netfilter/ipt_MASQUERADE.c index da7f02a..ae621de 100644 --- a/net/ipv4/netfilter/ipt_MASQUERADE.c +++ b/net/ipv4/netfilter/ipt_MASQUERADE.c @@ -41,6 +41,7 @@ static int masquerade_tg_check(const struct xt_tgchk_param *par) pr_debug("bad rangesize %u\n", mr->rangesize); return -EINVAL; } + allow_conntrack_allocation(par->net); return 0; } diff --git a/net/ipv4/netfilter/ipt_SYNPROXY.c b/net/ipv4/netfilter/ipt_SYNPROXY.c index f28cd93..f49f9a3 100644 --- a/net/ipv4/netfilter/ipt_SYNPROXY.c +++ b/net/ipv4/netfilter/ipt_SYNPROXY.c @@ -408,12 +408,16 @@ static unsigned int ipv4_synproxy_hook(const struct nf_hook_ops *ops, static int synproxy_tg4_check(const struct xt_tgchk_param *par) { const struct ipt_entry *e = par->entryinfo; + int ret; if (e->ip.proto != IPPROTO_TCP || e->ip.invflags & XT_INV_PROTO) return -EINVAL; - return nf_ct_l3proto_try_module_get(par->family); + ret = nf_ct_l3proto_try_module_get(par->family); + if (ret == 0) + allow_conntrack_allocation(par->net); + return ret; } static void synproxy_tg4_destroy(const struct xt_tgdtor_param *par) diff --git a/net/ipv6/netfilter/ip6t_MASQUERADE.c b/net/ipv6/netfilter/ip6t_MASQUERADE.c index 7f9f45d..ce15db3 100644 --- a/net/ipv6/netfilter/ip6t_MASQUERADE.c +++ b/net/ipv6/netfilter/ip6t_MASQUERADE.c @@ -33,6 +33,7 @@ static int masquerade_tg6_checkentry(const struct xt_tgchk_param *par) if (range->flags & NF_NAT_RANGE_MAP_IPS) return -EINVAL; + allow_conntrack_allocation(par->net); return 0; } diff --git a/net/ipv6/netfilter/ip6t_SYNPROXY.c b/net/ipv6/netfilter/ip6t_SYNPROXY.c index 3308621..ee6ccfb 100644 --- a/net/ipv6/netfilter/ip6t_SYNPROXY.c +++ b/net/ipv6/netfilter/ip6t_SYNPROXY.c @@ -432,13 +432,17 @@ static unsigned int ipv6_synproxy_hook(const struct nf_hook_ops *ops, static int synproxy_tg6_check(const struct xt_tgchk_param *par) { const struct ip6t_entry *e = par->entryinfo; + int ret; if (!(e->ipv6.flags & IP6T_F_PROTO) || e->ipv6.proto != IPPROTO_TCP || e->ipv6.invflags & XT_INV_PROTO) return -EINVAL; - return nf_ct_l3proto_try_module_get(par->family); + ret = nf_ct_l3proto_try_module_get(par->family); + if (ret == 0) + allow_conntrack_allocation(par->net); + return ret; } static void synproxy_tg6_destroy(const struct xt_tgdtor_param *par) diff --git a/net/netfilter/xt_CONNSECMARK.c b/net/netfilter/xt_CONNSECMARK.c index e04dc28..4a4cee9 100644 --- a/net/netfilter/xt_CONNSECMARK.c +++ b/net/netfilter/xt_CONNSECMARK.c @@ -110,6 +110,8 @@ static int connsecmark_tg_check(const struct xt_tgchk_param *par) if (ret < 0) pr_info("cannot load conntrack support for proto=%u\n", par->family); + else + allow_conntrack_allocation(par->net); return ret; } diff --git a/net/netfilter/xt_HMARK.c b/net/netfilter/xt_HMARK.c index 73b73f6..48dfe88 100644 --- a/net/netfilter/xt_HMARK.c +++ b/net/netfilter/xt_HMARK.c @@ -334,6 +334,7 @@ static int hmark_tg_check(const struct xt_tgchk_param *par) pr_info("xt_HMARK: spi-set and port-set can't be combined\n"); return -EINVAL; } + allow_conntrack_allocation(par->net); return 0; } diff --git a/net/netfilter/xt_NETMAP.c b/net/netfilter/xt_NETMAP.c index b253e07..94fd456 100644 --- a/net/netfilter/xt_NETMAP.c +++ b/net/netfilter/xt_NETMAP.c @@ -60,6 +60,7 @@ static int netmap_tg6_checkentry(const struct xt_tgchk_param *par) if (!(range->flags & NF_NAT_RANGE_MAP_IPS)) return -EINVAL; + allow_conntrack_allocation(par->net); return 0; } @@ -111,6 +112,7 @@ static int netmap_tg4_check(const struct xt_tgchk_param *par) pr_debug("bad rangesize %u.\n", mr->rangesize); return -EINVAL; } + allow_conntrack_allocation(par->net); return 0; } diff --git a/net/netfilter/xt_REDIRECT.c b/net/netfilter/xt_REDIRECT.c index 22a1030..8a44a07 100644 --- a/net/netfilter/xt_REDIRECT.c +++ b/net/netfilter/xt_REDIRECT.c @@ -76,6 +76,7 @@ static int redirect_tg6_checkentry(const struct xt_tgchk_param *par) if (range->flags & NF_NAT_RANGE_MAP_IPS) return -EINVAL; + allow_conntrack_allocation(par->net); return 0; } @@ -92,6 +93,7 @@ static int redirect_tg4_check(const struct xt_tgchk_param *par) pr_debug("bad rangesize %u.\n", mr->rangesize); return -EINVAL; } + allow_conntrack_allocation(par->net); return 0; } diff --git a/net/netfilter/xt_cluster.c b/net/netfilter/xt_cluster.c index f4af1bf..d7d575e 100644 --- a/net/netfilter/xt_cluster.c +++ b/net/netfilter/xt_cluster.c @@ -147,6 +147,7 @@ static int xt_cluster_mt_checkentry(const struct xt_mtchk_param *par) "higher than the total number of nodes\n"); return -EDOM; } + allow_conntrack_allocation(par->net); return 0; } diff --git a/net/netfilter/xt_connbytes.c b/net/netfilter/xt_connbytes.c index e595e07..07326a0 100644 --- a/net/netfilter/xt_connbytes.c +++ b/net/netfilter/xt_connbytes.c @@ -112,6 +112,8 @@ static int connbytes_mt_check(const struct xt_mtchk_param *par) if (ret < 0) pr_info("cannot load conntrack support for proto=%u\n", par->family); + else + allow_conntrack_allocation(par->net); /* * This filter cannot function correctly unless connection tracking diff --git a/net/netfilter/xt_connlabel.c b/net/netfilter/xt_connlabel.c index 9f8719d..bb75e8c 100644 --- a/net/netfilter/xt_connlabel.c +++ b/net/netfilter/xt_connlabel.c @@ -57,7 +57,8 @@ static int connlabel_mt_check(const struct xt_mtchk_param *par) pr_info("cannot load conntrack support for proto=%u\n", par->family); return ret; - } + } else + allow_conntrack_allocation(par->net); par->net->ct.labels_used++; words = BITS_TO_LONGS(info->bit+1); diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c index 34aa0ba..72752b1 100644 --- a/net/netfilter/xt_connlimit.c +++ b/net/netfilter/xt_connlimit.c @@ -389,6 +389,8 @@ static int connlimit_mt_check(const struct xt_mtchk_param *par) for (i = 0; i < ARRAY_SIZE(info->data->climit_root6); ++i) info->data->climit_root6[i] = RB_ROOT; + allow_conntrack_allocation(par->net); + return 0; } diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c index 3059aa3..baf25c2 100644 --- a/net/netfilter/xt_connmark.c +++ b/net/netfilter/xt_connmark.c @@ -182,6 +182,7 @@ static int connmark_mt_check_v0(const struct xt_mtchk_param *par) "proto=%u\n", par->family); return -EINVAL; } + allow_conntrack_allocation(par->net); return 0; } @@ -207,6 +208,8 @@ static int connmark_mt_check(const struct xt_mtchk_param *par) if (ret < 0) pr_info("cannot load conntrack support for proto=%u\n", par->family); + else + allow_conntrack_allocation(par->net); return ret; } diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c index 4846430..bdd398a 100644 --- a/net/netfilter/xt_conntrack.c +++ b/net/netfilter/xt_conntrack.c @@ -415,6 +415,8 @@ static int conntrack_mt_check(const struct xt_mtchk_param *par) if (ret < 0) pr_info("cannot load conntrack support for proto=%u\n", par->family); + else + allow_conntrack_allocation(par->net); return ret; } diff --git a/net/netfilter/xt_helper.c b/net/netfilter/xt_helper.c index 9f4ab00..230cb1e 100644 --- a/net/netfilter/xt_helper.c +++ b/net/netfilter/xt_helper.c @@ -66,6 +66,7 @@ static int helper_mt_check(const struct xt_mtchk_param *par) return ret; } info->name[29] = '\0'; + allow_conntrack_allocation(par->net); return 0; } diff --git a/net/netfilter/xt_ipvs.c b/net/netfilter/xt_ipvs.c index 8d47c37..2f74f35 100644 --- a/net/netfilter/xt_ipvs.c +++ b/net/netfilter/xt_ipvs.c @@ -161,6 +161,7 @@ static int ipvs_mt_check(const struct xt_mtchk_param *par) return -EINVAL; } + allow_conntrack_allocation(par->net); return 0; } diff --git a/net/netfilter/xt_nat.c b/net/netfilter/xt_nat.c index bea7464..27a2020 100644 --- a/net/netfilter/xt_nat.c +++ b/net/netfilter/xt_nat.c @@ -23,6 +23,13 @@ static int xt_nat_checkentry_v0(const struct xt_tgchk_param *par) par->target->name); return -EINVAL; } + allow_conntrack_allocation(par->net); + return 0; +} + +static int xt_nat_checkentry_v1(const struct xt_tgchk_param *par) +{ + allow_conntrack_allocation(par->net); return 0; } @@ -129,6 +136,7 @@ static struct xt_target xt_nat_target_reg[] __read_mostly = { { .name = "SNAT", .revision = 1, + .checkentry = xt_nat_checkentry_v1, .target = xt_snat_target_v1, .targetsize = sizeof(struct nf_nat_range), .table = "nat", @@ -139,6 +147,7 @@ static struct xt_target xt_nat_target_reg[] __read_mostly = { { .name = "DNAT", .revision = 1, + .checkentry = xt_nat_checkentry_v1, .target = xt_dnat_target_v1, .targetsize = sizeof(struct nf_nat_range), .table = "nat", diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c index 1ba6793..102946a 100644 --- a/net/netfilter/xt_socket.c +++ b/net/netfilter/xt_socket.c @@ -388,6 +388,12 @@ socket_mt6_v1_v2(const struct sk_buff *skb, struct xt_action_param *par) } #endif +static int socket_mt_v0_check(const struct xt_mtchk_param *par) +{ + allow_conntrack_allocation(par->net); + return 0; +} + static int socket_mt_v1_check(const struct xt_mtchk_param *par) { const struct xt_socket_mtinfo1 *info = (struct xt_socket_mtinfo1 *) par->matchinfo; @@ -396,6 +402,7 @@ static int socket_mt_v1_check(const struct xt_mtchk_param *par) pr_info("unknown flags 0x%x\n", info->flags & ~XT_SOCKET_FLAGS_V1); return -EINVAL; } + allow_conntrack_allocation(par->net); return 0; } @@ -407,6 +414,7 @@ static int socket_mt_v2_check(const struct xt_mtchk_param *par) pr_info("unknown flags 0x%x\n", info->flags & ~XT_SOCKET_FLAGS_V2); return -EINVAL; } + allow_conntrack_allocation(par->net); return 0; } @@ -416,6 +424,7 @@ static struct xt_match socket_mt_reg[] __read_mostly = { .revision = 0, .family = NFPROTO_IPV4, .match = socket_mt4_v0, + .checkentry = socket_mt_v0_check, .hooks = (1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_IN), .me = THIS_MODULE, diff --git a/net/netfilter/xt_state.c b/net/netfilter/xt_state.c index a507922..eb5a50d 100644 --- a/net/netfilter/xt_state.c +++ b/net/netfilter/xt_state.c @@ -47,6 +47,8 @@ static int state_mt_check(const struct xt_mtchk_param *par) if (ret < 0) pr_info("cannot load conntrack support for proto=%u\n", par->family); + else + allow_conntrack_allocation(par->net); return ret; } _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel