[Devel,RHEL7,COMMIT] ve/net, netfilter: Adjust REDIRECT target on venet device

Submitted by Konstantin Khorenko on Feb. 9, 2017, 3:26 p.m.

Details

Message ID 201702091526.v19FQjWa018342@finist_cl7.x64_64.work.ct
State New
Series "ve/net, netfilter: Adjust REDIRECT target on venet device"
Headers show

Commit Message

Konstantin Khorenko Feb. 9, 2017, 3:26 p.m.
The commit is pushed to "branch-rh7-3.10.0-514.6.1.vz7.28.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-514.6.1.vz7.28.5
------>
commit c4830e4a3076841c4544c022d06ad060b322a800
Author: Cyrill Gorcunov <gorcunov@virtuozzo.com>
Date:   Thu Feb 9 19:26:44 2017 +0400

    ve/net,netfilter: Adjust REDIRECT target on venet device
    
    Mostly backported from pcs6 code except I added:
    
     - CONFIG_VE to be able to find this snippet in future
     - Use NETIF_F_VENET so non-venet devices won't be affected
    
    Without this snippet redirection doesn't work. A simple test case:
    
     - run centos-7 container with some IP assigned and "--netfilter full"
       option in config
    
     - add the following rules inside container
    
       iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
       iptables -D FORWARD -j REJECT --reject-with icmp-host-prohibited
       iptables -t nat -A PREROUTING -p tcp -m tcp --dport 8080 -j REDIRECT --to-ports 80
    
     - go on node and run
    
       curl -i $IPADDR:80
       curl -i $IPADDR:8080
    
    Both should return apache's starting page.
    
    v2 (by vvs@):
     - lookup over all addresses bound to venet until first nonloopback
    
    https://jira.sw.ru/browse/PSBM-59983
    
    Signed-off-by: Cyrill Gorcunov <gorcunov@virtuozzo.com>
---
 net/netfilter/nf_nat_redirect.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

Patch hide | download patch | download mbox

diff --git a/net/netfilter/nf_nat_redirect.c b/net/netfilter/nf_nat_redirect.c
index d438698..b5548d1 100644
--- a/net/netfilter/nf_nat_redirect.c
+++ b/net/netfilter/nf_nat_redirect.c
@@ -57,6 +57,17 @@  nf_nat_redirect_ipv4(struct sk_buff *skb,
 		indev = __in_dev_get_rcu(skb->dev);
 		if (indev && indev->ifa_list) {
 			ifa = indev->ifa_list;
+#ifdef CONFIG_VE
+                       /*
+                        * Because of venet device specific, we should use
+                        * first nonloopback ifa in the list.
+                        */
+			if (skb->dev->features & NETIF_F_VENET) {
+				while (IN_LOOPBACK(ntohl(ifa->ifa_local)) &&
+				       ifa->ifa_next)
+					ifa = ifa->ifa_next;
+			}
+#endif
 			newdst = ifa->ifa_local;
 		}
 		rcu_read_unlock();

Comments

Konstantin Khorenko Feb. 9, 2017, 3:28 p.m.
Please consider to prepare a ReadyKernel patch for it.

--
Best regards,

Konstantin Khorenko,
Virtuozzo Linux Kernel Team

On 02/09/2017 06:26 PM, Konstantin Khorenko wrote:
> The commit is pushed to "branch-rh7-3.10.0-514.6.1.vz7.28.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
> after rh7-3.10.0-514.6.1.vz7.28.5
> ------>
> commit c4830e4a3076841c4544c022d06ad060b322a800
> Author: Cyrill Gorcunov <gorcunov@virtuozzo.com>
> Date:   Thu Feb 9 19:26:44 2017 +0400
>
>     ve/net,netfilter: Adjust REDIRECT target on venet device
>
>     Mostly backported from pcs6 code except I added:
>
>      - CONFIG_VE to be able to find this snippet in future
>      - Use NETIF_F_VENET so non-venet devices won't be affected
>
>     Without this snippet redirection doesn't work. A simple test case:
>
>      - run centos-7 container with some IP assigned and "--netfilter full"
>        option in config
>
>      - add the following rules inside container
>
>        iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
>        iptables -D FORWARD -j REJECT --reject-with icmp-host-prohibited
>        iptables -t nat -A PREROUTING -p tcp -m tcp --dport 8080 -j REDIRECT --to-ports 80
>
>      - go on node and run
>
>        curl -i $IPADDR:80
>        curl -i $IPADDR:8080
>
>     Both should return apache's starting page.
>
>     v2 (by vvs@):
>      - lookup over all addresses bound to venet until first nonloopback
>
>     https://jira.sw.ru/browse/PSBM-59983
>
>     Signed-off-by: Cyrill Gorcunov <gorcunov@virtuozzo.com>