[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openvz-devel
Subject:    [Devel] [PATCH RH7 v2 3/4] ve: iptables: fix mask initialization and changing
From:       ptikhomirov () virtuozzo ! com (Pavel Tikhomirov)
Date:       2015-06-30 7:25:56
Message-ID: 1435649157-16708-4-git-send-email-ptikhomirov () virtuozzo ! com
[Download RAW message or body]

- initialize mask on ve cgroup creation
- put ipt_mask under CONFIG_VE_IPTABLES
- reuse setup_iptables_mask

v2: rename setup_iptables_mask into ve_setup_iptables_mask
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
 include/linux/ve.h  |  4 ++++
 kernel/ve/Makefile  |  2 ++
 kernel/ve/ve.c      | 59 ++++++++++++++++++++++++++++++++++-------------------
 kernel/ve/vecalls.c | 29 +-------------------------
 4 files changed, 45 insertions(+), 49 deletions(-)

diff --git a/include/linux/ve.h b/include/linux/ve.h
index 58d5af4..f6feb96 100644
--- a/include/linux/ve.h
+++ b/include/linux/ve.h
@@ -150,6 +150,10 @@ extern int nr_ve;
 extern struct proc_dir_entry *proc_vz_dir;
 extern struct cgroup_subsys ve_subsys;
 
+#ifdef CONFIG_VE_IPTABLES
+extern __u64 ve_setup_iptables_mask(__u64 init_mask);
+#endif
+
 #ifdef CONFIG_VE
 #define ve_uevent_seqnum       (get_exec_env()->_uevent_seqnum)
 
diff --git a/kernel/ve/Makefile b/kernel/ve/Makefile
index c45948f..c32e03d 100644
--- a/kernel/ve/Makefile
+++ b/kernel/ve/Makefile
@@ -20,6 +20,8 @@ obj-$(CONFIG_VE_CALLS) += vzstat.o
 
 obj-$(CONFIG_VZ_IOLIMIT) += vziolimit.o
 
+obj-$(CONFIG_VE_IPTABLES) += ve.o
+
 obj-m += dummy/ip6_vzprivnet.o
 obj-m += dummy/ip_vzprivnet.o
 obj-m += dummy/pio_nfs.o
diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c
index 212c781..802dc79 100644
--- a/kernel/ve/ve.c
+++ b/kernel/ve/ve.c
@@ -616,6 +616,34 @@ void ve_exit_ns(struct pid_namespace *pid_ns)
 	put_ve(ve); /* from ve_start_container() */
 }
 
+#ifdef CONFIG_VE_IPTABLES
+
+__u64 ve_setup_iptables_mask(__u64 init_mask)
+{
+	/* Remove when userspace will start supplying IPv6-related bits. */
+	init_mask &= ~VE_IP_IPTABLES6;
+	init_mask &= ~VE_IP_FILTER6;
+	init_mask &= ~VE_IP_MANGLE6;
+	init_mask &= ~VE_IP_IPTABLE_NAT_MOD;
+	init_mask &= ~VE_NF_CONNTRACK_MOD;
+
+	if (mask_ipt_allow(init_mask, VE_IP_IPTABLES))
+		init_mask |= VE_IP_IPTABLES6;
+	if (mask_ipt_allow(init_mask, VE_IP_FILTER))
+		init_mask |= VE_IP_FILTER6;
+	if (mask_ipt_allow(init_mask, VE_IP_MANGLE))
+		init_mask |= VE_IP_MANGLE6;
+	if (mask_ipt_allow(init_mask, VE_IP_NAT))
+		init_mask |= VE_IP_IPTABLE_NAT;
+	if (mask_ipt_allow(init_mask, VE_IP_CONNTRACK))
+		init_mask |= VE_NF_CONNTRACK;
+
+	return init_mask;
+}
+EXPORT_SYMBOL(ve_setup_iptables_mask);
+
+#endif
+
 static struct cgroup_subsys_state *ve_create(struct cgroup *cg)
 {
 	struct ve_struct *ve = &ve0;
@@ -639,6 +667,10 @@ static struct cgroup_subsys_state *ve_create(struct cgroup *cg)
 
 	ve->fsync_enable = 2;
 
+#ifdef CONFIG_VE_IPTABLES
+	ve->ipt_mask = ve_setup_iptables_mask(VE_IP_DEFAULT);
+#endif
+
 	ve->sched_lat_ve.cur = alloc_percpu(struct kstat_lat_pcpu_snap_struct);
 	if (!ve->sched_lat_ve.cur)
 		goto err_lat;
@@ -1074,8 +1106,10 @@ static u64 ve_read_u64(struct cgroup *cg, struct cftype *cft)
 {
 	if (cft->private == VE_CF_FEATURES)
 		return cgroup_ve(cg)->features;
+#ifdef CONFIG_VE_IPTABLES
 	else if (cft->private == VE_CF_IPTABLES_MASK)
 		return cgroup_ve(cg)->ipt_mask;
+#endif
 	return 0;
 }
 
@@ -1094,27 +1128,10 @@ static int ve_write_u64(struct cgroup *cg, struct cftype *cft, u64 value)
 
 	if (cft->private == VE_CF_FEATURES)
 		ve->features = value;
-	else if (cft->private == VE_CF_IPTABLES_MASK) {
-		value &= ~VE_IP_IPTABLES6;
-		value &= ~VE_IP_FILTER6;
-		value &= ~VE_IP_MANGLE6;
-		value &= ~VE_IP_IPTABLE_NAT_MOD;
-		value &= ~VE_NF_CONNTRACK_MOD;
-
-		if (mask_ipt_allow(value, VE_IP_IPTABLES))
-			value |= VE_IP_IPTABLES6;
-		if (mask_ipt_allow(value, VE_IP_FILTER))
-			value |= VE_IP_FILTER6;
-		if (mask_ipt_allow(value, VE_IP_MANGLE))
-			value |= VE_IP_MANGLE6;
-		if (mask_ipt_allow(value, VE_IP_NAT))
-			value |= VE_IP_IPTABLE_NAT;
-		if (mask_ipt_allow(value, VE_IP_CONNTRACK))
-			value |= VE_NF_CONNTRACK;
-
-		ve->ipt_mask = value;
-	}
-
+#ifdef CONFIG_VE_IPTABLES
+	else if (cft->private == VE_CF_IPTABLES_MASK)
+		ve->ipt_mask = ve_setup_iptables_mask(value);
+#endif
 	up_write(&ve->op_sem);
 	return 0;
 }
diff --git a/kernel/ve/vecalls.c b/kernel/ve/vecalls.c
index e262c5e..71ee93d 100644
--- a/kernel/ve/vecalls.c
+++ b/kernel/ve/vecalls.c
@@ -223,33 +223,6 @@ static __u64 get_ve_features(env_create_param_t *data, int datalen)
 		(VE_FEATURES_DEF & ~known_features);
 }
 
-#ifdef CONFIG_VE_IPTABLES
-
-static __u64 setup_iptables_mask(__u64 init_mask)
-{
-	/* Remove when userspace will start supplying IPv6-related bits. */
-	init_mask &= ~VE_IP_IPTABLES6;
-	init_mask &= ~VE_IP_FILTER6;
-	init_mask &= ~VE_IP_MANGLE6;
-	init_mask &= ~VE_IP_IPTABLE_NAT_MOD;
-	init_mask &= ~VE_NF_CONNTRACK_MOD;
-
-	if (mask_ipt_allow(init_mask, VE_IP_IPTABLES))
-		init_mask |= VE_IP_IPTABLES6;
-	if (mask_ipt_allow(init_mask, VE_IP_FILTER))
-		init_mask |= VE_IP_FILTER6;
-	if (mask_ipt_allow(init_mask, VE_IP_MANGLE))
-		init_mask |= VE_IP_MANGLE6;
-	if (mask_ipt_allow(init_mask, VE_IP_NAT))
-		init_mask |= VE_IP_IPTABLE_NAT;
-	if (mask_ipt_allow(init_mask, VE_IP_CONNTRACK))
-		init_mask |= VE_NF_CONNTRACK;
-
-	return init_mask;
-}
-
-#endif
-
 static int init_ve_struct(struct ve_struct *ve,
 		u32 class_id, env_create_param_t *data, int datalen)
 {
@@ -264,7 +237,7 @@ static int init_ve_struct(struct ve_struct *ve,
 	/* Set up ipt_mask as it will be used during
 	 * net namespace initialization
 	 */
-	ve->ipt_mask = setup_iptables_mask(data ? data->iptables_mask
+	ve->ipt_mask = ve_setup_iptables_mask(data ? data->iptables_mask
 						: VE_IP_DEFAULT);
 #endif
 
-- 
1.9.3



[prev in list] [next in list] [prev in thread] [next in thread]