The commit is pushed to "branch-rh9-5.14.vz9.1.x-ovz" and will appear at
https://src.openvz.org/scm/ovz/vzkernel.git
after rh9-5.14.0-4.vz9.10.12
------>
commit b52eb66aa007d3fb588c2b839d725da899c4cb2e
Author: Kirill Gorkunov <gorcu...@virtuozzo.com>
Date: Wed Oct 20 11:40:38 2021 +0300
net/gre: Consider VE_FEATURE_IPGRE on new net creation
If we load gre module on the node, say we need gre transport on the
node for some reason, this will affect containers -- they won't be
checkpointable (due to lack of support in userspace) until the module
is unloaded from the node again. We have a special feature bit to
control this tansport creation, lets start consideing its value.
https://jira.sw.ru/browse/PSBM-84241
Signed-off-by: Cyrill Gorcunov <gorcu...@virtuozzo.com>
Rebased to vz8:
- With ms commit 64bc17811b72 ("ipv4: speedup ipv6 tunnels dismantle")
tunnels started to use ops->exit_batch with ip_tunnel_delete_nets
instead of ip_tunnel_delete_net and ops->exit, which this commit modified
With rebase commit 70e5af2252244 ("net: Make ipip feature optional")
ip_tunnel_delete_nets is aware of itn being NULL in some net namespaces.
So we can safely drop op->exit hunks.
- Use net_generic_free instead of net_assign_generic for the same reasons
as 70e5af2252244 ("net: Make ipip feature optional")
(cherry-picked from vz7 commit 2db99ab7bfe2 ("net/gre: Consider
VE_FEATURE_IPGRE
on new net creation"))
Signed-off-by: Andrey Zhadchenko <andrey.zhadche...@virtuozzo.com>
(cherry picked from vz8 commit 3190cd175f4a44667e4bdf31430613928450e06a)
Signed-off-by: Andrey Zhadchenko <andrey.zhadche...@virtuozzo.com>
---
include/uapi/linux/vzcalluser.h | 2 +-
net/ipv4/ip_gre.c | 20 ++++++++++++++++++++
net/ipv4/ip_tunnel.c | 4 ++++
net/ipv6/ip6_gre.c | 28 ++++++++++++++++++++++++++++
4 files changed, 53 insertions(+), 1 deletion(-)
diff --git a/include/uapi/linux/vzcalluser.h b/include/uapi/linux/vzcalluser.h
index 6ae1853d5632..282b2b861722 100644
--- a/include/uapi/linux/vzcalluser.h
+++ b/include/uapi/linux/vzcalluser.h
@@ -44,7 +44,7 @@ struct vzctl_ve_configure {
#define VE_FEATURE_SIT (1ULL << 3)
#define VE_FEATURE_IPIP (1ULL << 4)
#define VE_FEATURE_PPP (1ULL << 5)
-#define VE_FEATURE_IPGRE (1ULL << 6) /* deprecated */
+#define VE_FEATURE_IPGRE (1ULL << 6)
#define VE_FEATURE_BRIDGE (1ULL << 7)
#define VE_FEATURE_NFSD (1ULL << 8)
diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
index 87a682b57dff..b1087eefb6e5 100644
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -45,6 +45,9 @@
#include <net/dst_metadata.h>
#include <net/erspan.h>
+#include <uapi/linux/vzcalluser.h>
+#include <linux/ve.h>
+
/*
Problems & solutions
--------------------
@@ -1018,6 +1021,12 @@ static const struct gre_protocol ipgre_protocol = {
static int __net_init ipgre_init_net(struct net *net)
{
+#ifdef CONFIG_VE
+ if (!(net->owner_ve->features & VE_FEATURE_IPGRE)) {
+ net_generic_free(net, ipgre_net_id);
+ return 0;
+ }
+#endif
return ip_tunnel_init_net(net, ipgre_net_id, &ipgre_link_ops, NULL);
}
@@ -1336,6 +1345,11 @@ ipgre_newlink_encap_setup(struct net_device *dev, struct
nlattr *data[])
{
struct ip_tunnel_encap ipencap;
+#ifdef CONFIG_VE
+ if (!(dev_net(dev)->owner_ve->features & VE_FEATURE_IPGRE))
+ return -EACCES;
+#endif
+
if (ipgre_netlink_encap_parms(data, &ipencap)) {
struct ip_tunnel *t = netdev_priv(dev);
int err = ip_tunnel_encap_setup(t, &ipencap);
@@ -1680,6 +1694,12 @@ EXPORT_SYMBOL_GPL(gretap_fb_dev_create);
static int __net_init ipgre_tap_init_net(struct net *net)
{
+#ifdef CONFIG_VE
+ if (!(net->owner_ve->features & VE_FEATURE_IPGRE)) {
+ net_generic_free(net, gre_tap_net_id);
+ return 0;
+ }
+#endif
return ip_tunnel_init_net(net, gre_tap_net_id, &ipgre_tap_ops,
"gretap0");
}
diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c
index 13efb326e4b7..10d231baac70 100644
--- a/net/ipv4/ip_tunnel.c
+++ b/net/ipv4/ip_tunnel.c
@@ -90,6 +90,10 @@ struct ip_tunnel *ip_tunnel_lookup(struct ip_tunnel_net *itn,
struct net_device *ndev;
unsigned int hash;
+#ifdef CONFIG_VE
+ if (!itn) /* no VE_FEATURE_IPGRE */
+ return NULL;
+#endif
hash = ip_tunnel_hash(key, remote);
head = &itn->tunnels[hash];
diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
index 454a4a224fad..3d06e3c485e7 100644
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -29,6 +29,7 @@
#include <linux/hash.h>
#include <linux/if_tunnel.h>
#include <linux/ip6_tunnel.h>
+#include <linux/ve.h>
#include <net/sock.h>
#include <net/ip.h>
@@ -53,6 +54,7 @@
#include <net/erspan.h>
#include <net/dst_metadata.h>
+#include <uapi/linux/vzcalluser.h>
static bool log_ecn_error = true;
module_param(log_ecn_error, bool, 0644);
@@ -129,6 +131,11 @@ static struct ip6_tnl *ip6gre_tunnel_lookup(struct
net_device *dev,
int score, cand_score = 4;
struct net_device *ndev;
+#ifdef CONFIG_VE
+ if (!ign) /* no VE_FEATURE_IPGRE */
+ return NULL;
+#endif
+
for_each_ip_tunnel_rcu(t, ign->tunnels_r_l[h0 ^ h1]) {
if (!ipv6_addr_equal(local, &t->parms.laddr) ||
!ipv6_addr_equal(remote, &t->parms.raddr) ||
@@ -1555,6 +1562,11 @@ static void ip6gre_destroy_tunnels(struct net *net,
struct list_head *head)
struct net_device *dev, *aux;
int prio;
+#ifdef CONFIG_VE
+ if (!ign) /* no VE_FEATURE_IPGRE */
+ return;
+#endif
+
for_each_netdev_safe(net, dev, aux)
if (dev->rtnl_link_ops == &ip6gre_link_ops ||
dev->rtnl_link_ops == &ip6gre_tap_ops ||
@@ -1587,6 +1599,13 @@ static int __net_init ip6gre_init_net(struct net *net)
struct net_device *ndev;
int err;
+#ifdef CONFIG_VE
+ if (!(net->owner_ve->features & VE_FEATURE_IPGRE)) {
+ net_generic_free(net, ip6gre_net_id);
+ return 0;
+ }
+#endif
+
if (!net_has_fallback_tunnels(net))
return 0;
ndev = alloc_netdev(sizeof(struct ip6_tnl), "ip6gre0",
@@ -1967,6 +1986,15 @@ static int ip6gre_newlink_common(struct net *src_net,
struct net_device *dev,
struct ip6_tnl *nt;
struct ip_tunnel_encap ipencap;
int err;
+#ifdef CONFIG_VE
+ struct net *net = dev_net(dev);
+ struct ip6gre_net *ign;
+
+ ign = net_generic(net, ip6gre_net_id);
+
+ if (!ign) /* no VE_FEATURE_IPGRE */
+ return -EACCES;
+#endif
nt = netdev_priv(dev);
_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel
