While reproducing the problem mentioned in patch 1 I found that we need it to be able to configure vxlan fdb
https://jira.sw.ru/browse/PSBM-53629 Signed-off-by: Pavel Tikhomirov <ptikhomi...@virtuozzo.com> --- include/linux/ve.h | 4 ++-- kernel/ve/ve.c | 11 ++++++++++- net/core/rtnetlink.c | 4 ++-- net/socket.c | 2 +- 4 files changed, 15 insertions(+), 6 deletions(-) diff --git a/include/linux/ve.h b/include/linux/ve.h index ad40726..edff7e4 100644 --- a/include/linux/ve.h +++ b/include/linux/ve.h @@ -160,7 +160,7 @@ extern struct kobject * kobject_create_and_add_ve(const char *name, extern struct kmapset_set ve_sysfs_perms; -extern int vz_security_family_check(struct net *net, int family); +extern int vz_security_family_check(struct net *net, int family, int type); extern int vz_security_protocol_check(struct net *net, int protocol); extern struct task_struct *kthread_create_on_node_ve(struct ve_struct *ve, @@ -247,7 +247,7 @@ static inline void ve_mount_nr_dec(void) #define ve_uevent_seqnum uevent_seqnum -static inline int vz_security_family_check(struct net *net, int family) { return 0; } +static inline int vz_security_family_check(struct net *net, int family, int type) { return 0; } static inline int vz_security_protocol_check(struct net *net, int protocol) { return 0; } #define ve_utsname system_utsname diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c index 8afff3d..df42759 100644 --- a/kernel/ve/ve.c +++ b/kernel/ve/ve.c @@ -41,6 +41,7 @@ #include <uapi/linux/vzcalluser.h> #include <linux/venet.h> #include <linux/vziptable_defs.h> +#include <net/rtnetlink.h> static struct kmem_cache *ve_cachep; @@ -180,7 +181,7 @@ EXPORT_SYMBOL(get_ve_by_id); EXPORT_SYMBOL(ve_list_lock); EXPORT_SYMBOL(ve_list_head); -int vz_security_family_check(struct net *net, int family) +int vz_security_family_check(struct net *net, int family, int type) { if (ve_is_super(net->owner_ve)) return 0; @@ -195,6 +196,14 @@ int vz_security_family_check(struct net *net, int family) case PF_PPPOX: case PF_KEY: return 0; + case PF_BRIDGE: + if (type) + switch (type) { + case RTM_NEWNEIGH: + case RTM_DELNEIGH: + case RTM_GETNEIGH: + return 0; + } default: return -EAFNOSUPPORT; } diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c index 8e72446..1ba3a9d 100644 --- a/net/core/rtnetlink.c +++ b/net/core/rtnetlink.c @@ -2325,7 +2325,7 @@ static int rtnl_dump_all(struct sk_buff *skb, struct netlink_callback *cb) if (rtnl_msg_handlers[idx] == NULL || rtnl_msg_handlers[idx][type].dumpit == NULL) continue; - if (vz_security_family_check(net, idx)) + if (vz_security_family_check(net, idx, cb->nlh->nlmsg_type)) continue; if (idx > s_idx) { memset(&cb->args[0], 0, sizeof(cb->args)); @@ -3040,7 +3040,7 @@ static int rtnetlink_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh) return 0; family = ((struct rtgenmsg *)nlmsg_data(nlh))->rtgen_family; - if (vz_security_family_check(net, family)) + if (vz_security_family_check(net, family, nlh->nlmsg_type)) return -EAFNOSUPPORT; sz_idx = type>>2; diff --git a/net/socket.c b/net/socket.c index 7ec5de5..bb96466 100644 --- a/net/socket.c +++ b/net/socket.c @@ -1264,7 +1264,7 @@ int __sock_create(struct net *net, int family, int type, int protocol, } /* VZ compatibility layer */ - err = vz_security_family_check(net, family); + err = vz_security_family_check(net, family, 0); if (err < 0) return err; -- 2.7.4 _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel