[Devel,rh7] net/ip6tables: fix autoloading of the ip6table_raw module from CT

Submitted by Andrey Ryabinin on Aug. 3, 2016, 2:12 p.m.

Details

Message ID 1470233563-3166-1-git-send-email-aryabinin@virtuozzo.com
State New
Series "net/ip6tables: fix autoloading of the ip6table_raw module from CT"
Headers show

Commit Message

Andrey Ryabinin Aug. 3, 2016, 2:12 p.m.
Currently autoloading of the ip6table_raw module is forbidden
from container, leading to:
     ip6tables-restore v1.4.21: ip6tables-restore: unable to initialize table 'raw'

If use of ip6tables is allowed in container, autoloading of the ip6tables_raw
has to be permitted as well.

https://jira.sw.ru/browse/PSBM-50548

Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
---
 kernel/kmod.c                     | 1 +
 net/ipv6/netfilter/ip6table_raw.c | 3 +++
 2 files changed, 4 insertions(+)

Patch hide | download patch | download mbox

diff --git a/kernel/kmod.c b/kernel/kmod.c
index 5e5c2c6..d2c16a9 100644
--- a/kernel/kmod.c
+++ b/kernel/kmod.c
@@ -213,6 +213,7 @@  static struct {
 	{ "ip6table_filter",	VE_IP_FILTER6	},
 	{ "ip6table_nat",	VE_IP_NAT	},
 	{ "ip6table_mangle",	VE_IP_MANGLE6	},
+	{ "ip6table_raw",	VE_IP_IPTABLES6	},
 
 	{ "xt_CONNMARK",	VE_NF_CONNTRACK|VE_IP_CONNTRACK },
 	{ "xt_CONNSECMARK",	VE_NF_CONNTRACK|VE_IP_CONNTRACK },
diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c
index 8cf2a39..271835d 100644
--- a/net/ipv6/netfilter/ip6table_raw.c
+++ b/net/ipv6/netfilter/ip6table_raw.c
@@ -34,6 +34,9 @@  static int __net_init ip6table_raw_net_init(struct net *net)
 {
 	struct ip6t_replace *repl;
 
+	if (!net_ipt_permitted(net, VE_IP_IPTABLES6))
+		return 0;
+
 	repl = ip6t_alloc_initial_table(&packet_raw);
 	if (repl == NULL)
 		return -ENOMEM;

Comments

Kirill Tkhai Aug. 3, 2016, 3:23 p.m.
On 03.08.2016 17:12, Andrey Ryabinin wrote:
> Currently autoloading of the ip6table_raw module is forbidden
> from container, leading to:
>      ip6tables-restore v1.4.21: ip6tables-restore: unable to initialize table 'raw'
> 
> If use of ip6tables is allowed in container, autoloading of the ip6tables_raw
> has to be permitted as well.
> 
> https://jira.sw.ru/browse/PSBM-50548
> 
> Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>

Acked-by: Kirill Tkhai <ktkhai@virtuozzo.com>

> ---
>  kernel/kmod.c                     | 1 +
>  net/ipv6/netfilter/ip6table_raw.c | 3 +++
>  2 files changed, 4 insertions(+)
> 
> diff --git a/kernel/kmod.c b/kernel/kmod.c
> index 5e5c2c6..d2c16a9 100644
> --- a/kernel/kmod.c
> +++ b/kernel/kmod.c
> @@ -213,6 +213,7 @@ static struct {
>  	{ "ip6table_filter",	VE_IP_FILTER6	},
>  	{ "ip6table_nat",	VE_IP_NAT	},
>  	{ "ip6table_mangle",	VE_IP_MANGLE6	},
> +	{ "ip6table_raw",	VE_IP_IPTABLES6	},
>  
>  	{ "xt_CONNMARK",	VE_NF_CONNTRACK|VE_IP_CONNTRACK },
>  	{ "xt_CONNSECMARK",	VE_NF_CONNTRACK|VE_IP_CONNTRACK },
> diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c
> index 8cf2a39..271835d 100644
> --- a/net/ipv6/netfilter/ip6table_raw.c
> +++ b/net/ipv6/netfilter/ip6table_raw.c
> @@ -34,6 +34,9 @@ static int __net_init ip6table_raw_net_init(struct net *net)
>  {
>  	struct ip6t_replace *repl;
>  
> +	if (!net_ipt_permitted(net, VE_IP_IPTABLES6))
> +		return 0;
> +
>  	repl = ip6t_alloc_initial_table(&packet_raw);
>  	if (repl == NULL)
>  		return -ENOMEM;
>