Hi Nick,
On 09/30/2015 09:56 PM, Nick Knutov wrote:
I know ipset is not virtualized, but I have number of trusted CTs and I
want to use ipset inside them (and it's ok in my case to share all data
between CTs and node).
Is it possible to enable ipset for selected CTs?
surely you've already found the issue where ipset had been disabled previously:
https://bugs.openvz.org/browse/OVZ-5736
So currently you cannot use ipset inside Containers.
What can you do now? You have 2 options:
1) just remove the patch which disables ipset managing inside Containers which
was added in that bug, and you'll be able to manage ipset inside ALL Containers
on the Hardware Node.
Patch attached, just in case.
2) basing on the patch provided (so you know all the places you need fix), you
can implement a feature to enable the ipset management for the defined list of
CTs only, and send us patches.
Hope that helps.
--
Best regards,
Konstantin Khorenko,
Virtuozzo Linux Kernel Team
--- Begin Message ---
* diff-ve-netfilter-ipset-prohibit-ipset-from-the-inside-CT
Added to 042stab093_2
ve/net/netfilter/ipset: prohibit ipset from the inside CT
Currently a CT owner can configure ipset rules which are not virtualized =>
affect the whole Hardware Node.
We are going to virtualize ipset in PCS7 (3.10-x, PSBM-27793),
let's prohibit ipset configuration from inside a CT in PCS6 (2.6.32-x).
https://jira.sw.ru/browse/PSBM-27792
https://bugzilla.openvz.org/show_bug.cgi?id=2644
Signed-off-by: Kirill Tkhai <ktk...@parallels.com>
---
---
net/netfilter/ipset/ip_set_core.c | 38 +++++++++++++++++++++++++++++++++++++
1 file changed, 38 insertions(+)
diff --git a/net/netfilter/ipset/ip_set_core.c
b/net/netfilter/ipset/ip_set_core.c
index 2fcd993..db49896 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -638,6 +638,9 @@ ip_set_create(struct sock *ctnl, struct sk_buff *skb,
u32 flags = flag_exist(nlh);
int ret = 0;
+ if (!ve_is_super(get_exec_env()))
+ return -EPERM;
+
if (unlikely(protocol_failed(attr) ||
attr[IPSET_ATTR_SETNAME] == NULL ||
attr[IPSET_ATTR_TYPENAME] == NULL ||
@@ -758,6 +761,9 @@ ip_set_destroy(struct sock *ctnl, struct sk_buff *skb,
ip_set_id_t i;
int ret = 0;
+ if (!ve_is_super(get_exec_env()))
+ return -EPERM;
+
if (unlikely(protocol_failed(attr)))
return -IPSET_ERR_PROTOCOL;
@@ -822,6 +828,9 @@ ip_set_flush(struct sock *ctnl, struct sk_buff *skb,
{
ip_set_id_t i;
+ if (!ve_is_super(get_exec_env()))
+ return -EPERM;
+
if (unlikely(protocol_failed(attr)))
return -IPSET_ERR_PROTOCOL;
@@ -861,6 +870,9 @@ ip_set_rename(struct sock *ctnl, struct sk_buff *skb,
ip_set_id_t i;
int ret = 0;
+ if (!ve_is_super(get_exec_env()))
+ return -EPERM;
+
if (unlikely(protocol_failed(attr) ||
attr[IPSET_ATTR_SETNAME] == NULL ||
attr[IPSET_ATTR_SETNAME2] == NULL))
@@ -909,6 +921,9 @@ ip_set_swap(struct sock *ctnl, struct sk_buff *skb,
ip_set_id_t from_id, to_id;
char from_name[IPSET_MAXNAMELEN];
+ if (!ve_is_super(get_exec_env()))
+ return -EPERM;
+
if (unlikely(protocol_failed(attr) ||
attr[IPSET_ATTR_SETNAME] == NULL ||
attr[IPSET_ATTR_SETNAME2] == NULL))
@@ -1123,6 +1138,9 @@ ip_set_dump(struct sock *ctnl, struct sk_buff *skb,
const struct nlmsghdr *nlh,
const struct nlattr * const attr[])
{
+ if (!ve_is_super(get_exec_env()))
+ return -EPERM;
+
if (unlikely(protocol_failed(attr)))
return -IPSET_ERR_PROTOCOL;
@@ -1214,6 +1232,9 @@ ip_set_uadd(struct sock *ctnl, struct sk_buff *skb,
bool use_lineno;
int ret = 0;
+ if (!ve_is_super(get_exec_env()))
+ return -EPERM;
+
if (unlikely(protocol_failed(attr) ||
attr[IPSET_ATTR_SETNAME] == NULL ||
!((attr[IPSET_ATTR_DATA] != NULL) ^
@@ -1268,6 +1289,9 @@ ip_set_udel(struct sock *ctnl, struct sk_buff *skb,
bool use_lineno;
int ret = 0;
+ if (!ve_is_super(get_exec_env()))
+ return -EPERM;
+
if (unlikely(protocol_failed(attr) ||
attr[IPSET_ATTR_SETNAME] == NULL ||
!((attr[IPSET_ATTR_DATA] != NULL) ^
@@ -1319,6 +1343,9 @@ ip_set_utest(struct sock *ctnl, struct sk_buff *skb,
struct nlattr *tb[IPSET_ATTR_ADT_MAX+1] = {};
int ret = 0;
+ if (!ve_is_super(get_exec_env()))
+ return -EPERM;
+
if (unlikely(protocol_failed(attr) ||
attr[IPSET_ATTR_SETNAME] == NULL ||
attr[IPSET_ATTR_DATA] == NULL ||
@@ -1356,6 +1383,9 @@ ip_set_header(struct sock *ctnl, struct sk_buff *skb,
ip_set_id_t index;
int ret = 0;
+ if (!ve_is_super(get_exec_env()))
+ return -EPERM;
+
if (unlikely(protocol_failed(attr) ||
attr[IPSET_ATTR_SETNAME] == NULL))
return -IPSET_ERR_PROTOCOL;
@@ -1413,6 +1443,9 @@ ip_set_type(struct sock *ctnl, struct sk_buff *skb,
const char *typename;
int ret = 0;
+ if (!ve_is_super(get_exec_env()))
+ return -EPERM;
+
if (unlikely(protocol_failed(attr) ||
attr[IPSET_ATTR_TYPENAME] == NULL ||
attr[IPSET_ATTR_FAMILY] == NULL))
@@ -1469,6 +1502,9 @@ ip_set_protocol(struct sock *ctnl, struct sk_buff *skb,
struct nlmsghdr *nlh2;
int ret = 0;
+ if (!ve_is_super(get_exec_env()))
+ return -EPERM;
+
if (unlikely(attr[IPSET_ATTR_PROTOCOL] == NULL))
return -IPSET_ERR_PROTOCOL;
@@ -1586,6 +1622,8 @@ ip_set_sockfn_get(struct sock *sk, int optval, void
__user *user, int *len)
if (!capable(CAP_NET_ADMIN))
return -EPERM;
+ if (!ve_is_super(get_exec_env()))
+ return -EPERM;
if (optval != SO_IP_SET)
return -EBADF;
if (*len < sizeof(unsigned))
--- End Message ---
_______________________________________________
Users mailing list
Users@openvz.org
https://lists.openvz.org/mailman/listinfo/users