The commit is pushed to "branch-rh7-3.10.0-123.1.2-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git after rh7-3.10.0-123.1.2.vz7.5.7 ------> commit 5f6dbce004ffb21b500d930b46d2b85287619f6d Author: Kirill Tkhai <ktk...@odin.com> Date: Fri May 29 12:01:52 2015 +0400
ve/kmod: Add rules for autoloading (new) nf_tables nf_tables is a new netfilter table. Add autoload permittions like we have for {ip,ip6,x}tables. https://jira.sw.ru/browse/PSBM-33631 Signed-off-by: Kirill Tkhai <ktk...@odin.com> Reviewed-by: Cyrill Gorcunov <gorcu...@odin.com> --- kernel/kmod.c | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/kernel/kmod.c b/kernel/kmod.c index b77bbc5..2daabea 100644 --- a/kernel/kmod.c +++ b/kernel/kmod.c @@ -267,9 +267,52 @@ static struct { { "ip_conntrack", VE_NF_CONNTRACK|VE_IP_CONNTRACK }, { "nf_conntrack-10", VE_NF_CONNTRACK|VE_IP_CONNTRACK }, { "nf_conntrack_ipv6", VE_NF_CONNTRACK|VE_IP_CONNTRACK }, + + { "nft-set", VE_IP_IPTABLES }, + { "nft-afinfo-2", VE_IP_IPTABLES }, /* IPV4 */ + { "nft-afinfo-3", VE_IP_IPTABLES }, /* ARP */ + { "nft-afinfo-10", VE_IP_IPTABLES6 }, /* IPV6 */ + + { "nft-chain-2-nat", VE_IP_IPTABLES|VE_IP_NAT }, + { "nft-chain-2-route", VE_IP_IPTABLES }, + + { "nft-chain-10-nat", VE_IP_IPTABLES6|VE_IP_NAT }, + { "nft-chain-10-route", VE_IP_IPTABLES6 }, + + { "nft-expr-2-reject", VE_IP_IPTABLES }, + { "nft-expr-10-reject", VE_IP_IPTABLES6 }, }; /* + * Check if module named nft-expr-name is allowed. + * We pass only tail name part to this function. + */ +static bool nft_expr_allowed(const char *name) +{ + u64 permitted = get_exec_env()->ipt_mask; + + if (!name[0]) + return false; + + if (!strcmp(name, "ct")) + return mask_ipt_allow(permitted, VE_IP_CONNTRACK); + + if (!strcmp(name, "nat")) + return mask_ipt_allow(permitted, VE_IP_NAT); + + /* + * We are interested in modules like nft-expr-xxx. + * Expressions like nft-expr-xxx-yyy currently are + * handled in ve0_am table. So expr does not cointain + * minus + */ + if (!strchr(name, '-')) + return mask_ipt_allow(permitted, VE_IP_IPTABLES) | + mask_ipt_allow(permitted, VE_IP_IPTABLES6); + return false; +} + +/* * module_payload_allowed - check if module functionality is allowed * to be used inside current virtual enviroment. * @@ -310,6 +353,10 @@ bool module_payload_allowed(const char *module) if (!strncmp("ebt_", module, 4)) return true; + /* The rest of nft- modules */ + if (!strncmp("nft-expr-", module, 9)) + return nft_expr_allowed(module + 9); + return false; } #endif /* CONFIG_VE_IPTABLES */ _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel