On Thu, Oct 27, 2016 at 06:50:17PM +0300, Pavel Tikhomirov wrote:
> While reproducing the problem mentioned in patch 1 I found that
> we need it to be able to configure vxlan fdb
>
> https://jira.sw.ru/browse/PSBM-53629
> Signed-off-by: Pavel Tikhomirov <ptikhomi...@virtuozzo.com>
> ---
> include/linux/ve.h | 4 ++--
> kernel/ve/ve.c | 11 ++++++++++-
> net/core/rtnetlink.c | 4 ++--
> net/socket.c | 2 +-
> 4 files changed, 15 insertions(+), 6 deletions(-)
>
> diff --git a/include/linux/ve.h b/include/linux/ve.h
> index ad40726..edff7e4 100644
> --- a/include/linux/ve.h
> +++ b/include/linux/ve.h
> @@ -160,7 +160,7 @@ extern struct kobject * kobject_create_and_add_ve(const
> char *name,
>
> extern struct kmapset_set ve_sysfs_perms;
>
> -extern int vz_security_family_check(struct net *net, int family);
> +extern int vz_security_family_check(struct net *net, int family, int type);
> extern int vz_security_protocol_check(struct net *net, int protocol);
>
> extern struct task_struct *kthread_create_on_node_ve(struct ve_struct *ve,
> @@ -247,7 +247,7 @@ static inline void ve_mount_nr_dec(void)
>
> #define ve_uevent_seqnum uevent_seqnum
>
> -static inline int vz_security_family_check(struct net *net, int family) {
> return 0; }
> +static inline int vz_security_family_check(struct net *net, int family, int
> type) { return 0; }
> static inline int vz_security_protocol_check(struct net *net, int protocol)
> { return 0; }
>
> #define ve_utsname system_utsname
> diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c
> index 8afff3d..df42759 100644
> --- a/kernel/ve/ve.c
> +++ b/kernel/ve/ve.c
> @@ -41,6 +41,7 @@
> #include <uapi/linux/vzcalluser.h>
> #include <linux/venet.h>
> #include <linux/vziptable_defs.h>
> +#include <net/rtnetlink.h>
>
> static struct kmem_cache *ve_cachep;
>
> @@ -180,7 +181,7 @@ EXPORT_SYMBOL(get_ve_by_id);
> EXPORT_SYMBOL(ve_list_lock);
> EXPORT_SYMBOL(ve_list_head);
>
> -int vz_security_family_check(struct net *net, int family)
> +int vz_security_family_check(struct net *net, int family, int type)
Do you know why we need vz_security_family_check() in rhel7?
> {
> if (ve_is_super(net->owner_ve))
> return 0;
> @@ -195,6 +196,14 @@ int vz_security_family_check(struct net *net, int family)
> case PF_PPPOX:
> case PF_KEY:
> return 0;
> + case PF_BRIDGE:
> + if (type)
> + switch (type) {
> + case RTM_NEWNEIGH:
> + case RTM_DELNEIGH:
> + case RTM_GETNEIGH:
> + return 0;
> + }
> default:
> return -EAFNOSUPPORT;
> }
> diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
> index 8e72446..1ba3a9d 100644
> --- a/net/core/rtnetlink.c
> +++ b/net/core/rtnetlink.c
> @@ -2325,7 +2325,7 @@ static int rtnl_dump_all(struct sk_buff *skb, struct
> netlink_callback *cb)
> if (rtnl_msg_handlers[idx] == NULL ||
> rtnl_msg_handlers[idx][type].dumpit == NULL)
> continue;
> - if (vz_security_family_check(net, idx))
> + if (vz_security_family_check(net, idx, cb->nlh->nlmsg_type))
> continue;
> if (idx > s_idx) {
> memset(&cb->args[0], 0, sizeof(cb->args));
> @@ -3040,7 +3040,7 @@ static int rtnetlink_rcv_msg(struct sk_buff *skb,
> struct nlmsghdr *nlh)
> return 0;
>
> family = ((struct rtgenmsg *)nlmsg_data(nlh))->rtgen_family;
> - if (vz_security_family_check(net, family))
> + if (vz_security_family_check(net, family, nlh->nlmsg_type))
> return -EAFNOSUPPORT;
>
> sz_idx = type>>2;
> diff --git a/net/socket.c b/net/socket.c
> index 7ec5de5..bb96466 100644
> --- a/net/socket.c
> +++ b/net/socket.c
> @@ -1264,7 +1264,7 @@ int __sock_create(struct net *net, int family, int
> type, int protocol,
> }
>
> /* VZ compatibility layer */
> - err = vz_security_family_check(net, family);
> + err = vz_security_family_check(net, family, 0);
> if (err < 0)
> return err;
>
> --
> 2.7.4
>
_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel
