* [PATCH RFC v2 01/11] br_netfilter: brnf_net structure for sysctl setting
[not found] ` <cover.1399897184.git.vvs@openvz.org>
@ 2014-05-12 12:56 ` Vasily Averin
2014-05-12 12:56 ` [PATCH RFC v2 02/11] br_netfilter: default sysctl settings in init_brnf_net Vasily Averin
` (9 subsequent siblings)
10 siblings, 0 replies; 32+ messages in thread
From: Vasily Averin @ 2014-05-12 12:56 UTC (permalink / raw)
To: Bart De Schuymer
Cc: Florian Westphal, netfilter-devel, Patrick McHardy, Pablo Neira Ayuso
Signed-off-by: Vasily Averin <vvs@openvz.org>
---
net/bridge/br_private.h | 13 +++++++++++++
1 files changed, 13 insertions(+), 0 deletions(-)
diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
index 06811d7..25a785e 100644
--- a/net/bridge/br_private.h
+++ b/net/bridge/br_private.h
@@ -312,6 +312,19 @@ struct br_input_skb_cb {
# define BR_INPUT_SKB_CB_MROUTERS_ONLY(__skb) (0)
#endif
+#if defined CONFIG_BRIDGE_NETFILTER && defined CONFIG_SYSCTL
+struct brnf_net {
+ struct net *net;
+ struct ctl_table_header *hdr;
+ int call_arptables;
+ int call_iptables;
+ int call_ip6tables;
+ int filter_vlan_tagged;
+ int filter_pppoe_tagged;
+ int pass_vlan_indev;
+};
+#endif
+
#define br_printk(level, br, format, args...) \
printk(level "%s: " format, (br)->dev->name, ##args)
--
1.7.5.4
^ permalink raw reply related [flat|nested] 32+ messages in thread
* [PATCH RFC v2 02/11] br_netfilter: default sysctl settings in init_brnf_net
[not found] ` <cover.1399897184.git.vvs@openvz.org>
2014-05-12 12:56 ` [PATCH RFC v2 01/11] br_netfilter: brnf_net structure for sysctl setting Vasily Averin
@ 2014-05-12 12:56 ` Vasily Averin
2014-05-12 14:07 ` Patrick McHardy
2014-05-12 12:57 ` [PATCH RFC v2 03/11] br_netfilter: brnf_flag macro Vasily Averin
` (8 subsequent siblings)
10 siblings, 1 reply; 32+ messages in thread
From: Vasily Averin @ 2014-05-12 12:56 UTC (permalink / raw)
To: Bart De Schuymer
Cc: Florian Westphal, netfilter-devel, Patrick McHardy, Pablo Neira Ayuso
Signed-off-by: Vasily Averin <vvs@openvz.org>
---
net/bridge/br_netfilter.c | 12 ++++++++++++
1 files changed, 12 insertions(+), 0 deletions(-)
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index 2acf7fa..3e81fd6 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -64,6 +64,18 @@ static int brnf_pass_vlan_indev __read_mostly = 0;
#define brnf_pass_vlan_indev 0
#endif
+#ifdef CONFIG_SYSCTL
+static struct brnf_net init_brnf_net = {
+ .hdr = NULL,
+ .call_arptables = brnf_call_arptables,
+ .call_iptables = brnf_call_iptables,
+ .call_ip6tables = brnf_call_ip6tables,
+ .filter_vlan_tagged = brnf_filter_vlan_tagged,
+ .filter_pppoe_tagged = brnf_filter_pppoe_tagged,
+ .pass_vlan_indev = brnf_pass_vlan_indev,
+};
+#endif
+
#define IS_IP(skb) \
(!vlan_tx_tag_present(skb) && skb->protocol == htons(ETH_P_IP))
--
1.7.5.4
^ permalink raw reply related [flat|nested] 32+ messages in thread
* Re: [PATCH RFC v2 02/11] br_netfilter: default sysctl settings in init_brnf_net
2014-05-12 12:56 ` [PATCH RFC v2 02/11] br_netfilter: default sysctl settings in init_brnf_net Vasily Averin
@ 2014-05-12 14:07 ` Patrick McHardy
2014-05-12 16:31 ` [PATCH RFC v3 0/2] per-netns sysctl for br_netfilter Vasily Averin
[not found] ` <cover.1399909529.git.vvs@openvz.org>
0 siblings, 2 replies; 32+ messages in thread
From: Patrick McHardy @ 2014-05-12 14:07 UTC (permalink / raw)
To: Vasily Averin
Cc: Bart De Schuymer, Florian Westphal, netfilter-devel, Pablo Neira Ayuso
On Mon, May 12, 2014 at 04:56:57PM +0400, Vasily Averin wrote:
>
> Signed-off-by: Vasily Averin <vvs@openvz.org>
> ---
> net/bridge/br_netfilter.c | 12 ++++++++++++
> 1 files changed, 12 insertions(+), 0 deletions(-)
>
> diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
> index 2acf7fa..3e81fd6 100644
> --- a/net/bridge/br_netfilter.c
> +++ b/net/bridge/br_netfilter.c
> @@ -64,6 +64,18 @@ static int brnf_pass_vlan_indev __read_mostly = 0;
> #define brnf_pass_vlan_indev 0
> #endif
>
> +#ifdef CONFIG_SYSCTL
> +static struct brnf_net init_brnf_net = {
> + .hdr = NULL,
> + .call_arptables = brnf_call_arptables,
> + .call_iptables = brnf_call_iptables,
> + .call_ip6tables = brnf_call_ip6tables,
> + .filter_vlan_tagged = brnf_filter_vlan_tagged,
> + .filter_pppoe_tagged = brnf_filter_pppoe_tagged,
> + .pass_vlan_indev = brnf_pass_vlan_indev,
> +};
> +#endif
These patches are split in an unnecessary excessive fashion and are hard
to review. The rule is one patch per logical change, not one patch per
file. Introducing a structure and not using it might be acceptable, but
adding a structure definition and not using it is just stupid.
Also introducing all these init_brnf_net conversion that are completely
replaced afterwards is just useless noise. Please combine them in a more
reasonable fashion and resend.
^ permalink raw reply [flat|nested] 32+ messages in thread
* [PATCH RFC v3 0/2] per-netns sysctl for br_netfilter
2014-05-12 14:07 ` Patrick McHardy
@ 2014-05-12 16:31 ` Vasily Averin
2014-05-29 12:28 ` Pablo Neira Ayuso
[not found] ` <cover.1399909529.git.vvs@openvz.org>
1 sibling, 1 reply; 32+ messages in thread
From: Vasily Averin @ 2014-05-12 16:31 UTC (permalink / raw)
To: Bart De Schuymer, Patrick McHardy
Cc: Florian Westphal, netfilter-devel, Pablo Neira Ayuso
Dear Patrick,
thank you for feedback.
Frankly speaking I still badly understand how it's better to split this patch set.
Finally I've decided to combine v2 patches to 2 parts (1-8 and 9-11).
Could you please explain how to it better?
This patch set enables per network namespace managemnt for br_netfiltes sysctls,
it allows to enable processing br-nf-call hooks in ones network namespaces
and keep it disabled in another ones.
v3: patches are merged into more large chunks
v2: removed extra overhead for CONFIG_SYSCTL=n
Vasily Averin (2):
br_netfilter: common structure for sysctl flags
br_netfilter: per-netns copy of structure for sysctl flags
net/bridge/br_netfilter.c | 155 ++++++++++++++++++++++++++++++++++-----------
net/bridge/br_private.h | 13 ++++
2 files changed, 130 insertions(+), 38 deletions(-)
--
1.7.5.4
^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [PATCH RFC v3 0/2] per-netns sysctl for br_netfilter
2014-05-12 16:31 ` [PATCH RFC v3 0/2] per-netns sysctl for br_netfilter Vasily Averin
@ 2014-05-29 12:28 ` Pablo Neira Ayuso
2014-05-30 10:04 ` Vasily Averin
0 siblings, 1 reply; 32+ messages in thread
From: Pablo Neira Ayuso @ 2014-05-29 12:28 UTC (permalink / raw)
To: Vasily Averin
Cc: Bart De Schuymer, Patrick McHardy, Florian Westphal, netfilter-devel
Hi Vasily,
On Mon, May 12, 2014 at 08:31:46PM +0400, Vasily Averin wrote:
> Dear Patrick,
> thank you for feedback.
> Frankly speaking I still badly understand how it's better to split this patch set.
> Finally I've decided to combine v2 patches to 2 parts (1-8 and 9-11).
> Could you please explain how to it better?
>
> This patch set enables per network namespace managemnt for br_netfiltes sysctls,
> it allows to enable processing br-nf-call hooks in ones network namespaces
> and keep it disabled in another ones.
>
> v3: patches are merged into more large chunks
> v2: removed extra overhead for CONFIG_SYSCTL=n
Any further concern with this v3 patchset? Thanks.
^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [PATCH RFC v3 0/2] per-netns sysctl for br_netfilter
2014-05-29 12:28 ` Pablo Neira Ayuso
@ 2014-05-30 10:04 ` Vasily Averin
0 siblings, 0 replies; 32+ messages in thread
From: Vasily Averin @ 2014-05-30 10:04 UTC (permalink / raw)
To: Pablo Neira Ayuso
Cc: Bart De Schuymer, Patrick McHardy, Florian Westphal,
netfilter-devel, Maciej Żenczykowski
On 05/29/2014 04:28 PM, Pablo Neira Ayuso wrote:
> Hi Vasily,
>
> On Mon, May 12, 2014 at 08:31:46PM +0400, Vasily Averin wrote:
>> This patch set enables per network namespace managemnt for br_netfiltes sysctls,
>> it allows to enable processing br-nf-call hooks in ones network namespaces
>> and keep it disabled in another ones.
>>
>> v3: patches are merged into more large chunks
>> v2: removed extra overhead for CONFIG_SYSCTL=n
>
> Any further concern with this v3 patchset? Thanks.
Dear Pablo,
I'm going to re-make this patchset to add ability to inherit settings from new parent's net-namespace.
Unfortunately right now I'm quite busy by relocation, therefore this task is delayed.
Also I would like say thanks to Bart and Maciej Zenczykowski for feedback.
^ permalink raw reply [flat|nested] 32+ messages in thread
[parent not found: <cover.1399909529.git.vvs@openvz.org>]
* [PATCH RFC v3 1/2] br_netfilter: common structure for sysctl flags
[not found] ` <cover.1399909529.git.vvs@openvz.org>
@ 2014-05-12 16:31 ` Vasily Averin
2014-05-12 16:32 ` [PATCH RFC v3 2/2] br_netfilter: per-netns copy of " Vasily Averin
1 sibling, 0 replies; 32+ messages in thread
From: Vasily Averin @ 2014-05-12 16:31 UTC (permalink / raw)
To: Bart De Schuymer, Patrick McHardy
Cc: Florian Westphal, netfilter-devel, Pablo Neira Ayuso
Introduced common structure for sysctl flags
Signed-off-by: Vasily Averin <vvs@openvz.org>
---
net/bridge/br_netfilter.c | 55 ++++++++++++++++++++++++++------------------
net/bridge/br_private.h | 13 ++++++++++
2 files changed, 45 insertions(+), 23 deletions(-)
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index 2acf7fa..31bfd90 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -49,19 +49,28 @@
#ifdef CONFIG_SYSCTL
static struct ctl_table_header *brnf_sysctl_header;
-static int brnf_call_iptables __read_mostly = 1;
-static int brnf_call_ip6tables __read_mostly = 1;
-static int brnf_call_arptables __read_mostly = 1;
-static int brnf_filter_vlan_tagged __read_mostly = 0;
-static int brnf_filter_pppoe_tagged __read_mostly = 0;
-static int brnf_pass_vlan_indev __read_mostly = 0;
-#else
+#endif
+#define brnf_call_arptables 1
#define brnf_call_iptables 1
#define brnf_call_ip6tables 1
-#define brnf_call_arptables 1
#define brnf_filter_vlan_tagged 0
#define brnf_filter_pppoe_tagged 0
#define brnf_pass_vlan_indev 0
+
+#ifdef CONFIG_SYSCTL
+static struct brnf_net init_brnf_net = {
+ .hdr = NULL,
+ .call_arptables = brnf_call_arptables,
+ .call_iptables = brnf_call_iptables,
+ .call_ip6tables = brnf_call_ip6tables,
+ .filter_vlan_tagged = brnf_filter_vlan_tagged,
+ .filter_pppoe_tagged = brnf_filter_pppoe_tagged,
+ .pass_vlan_indev = brnf_pass_vlan_indev,
+};
+
+#define brnf_flag(skb, flag) init_brnf_net.flag
+#else
+#define brnf_flag(skb, flag) brnf_##flag
#endif
#define IS_IP(skb) \
@@ -85,15 +94,15 @@ static inline __be16 vlan_proto(const struct sk_buff *skb)
#define IS_VLAN_IP(skb) \
(vlan_proto(skb) == htons(ETH_P_IP) && \
- brnf_filter_vlan_tagged)
+ brnf_flag(skb, filter_vlan_tagged))
#define IS_VLAN_IPV6(skb) \
(vlan_proto(skb) == htons(ETH_P_IPV6) && \
- brnf_filter_vlan_tagged)
+ brnf_flag(skb, filter_vlan_tagged))
#define IS_VLAN_ARP(skb) \
(vlan_proto(skb) == htons(ETH_P_ARP) && \
- brnf_filter_vlan_tagged)
+ brnf_flag(skb, filter_vlan_tagged))
static inline __be16 pppoe_proto(const struct sk_buff *skb)
{
@@ -104,12 +113,12 @@ static inline __be16 pppoe_proto(const struct sk_buff *skb)
#define IS_PPPOE_IP(skb) \
(skb->protocol == htons(ETH_P_PPP_SES) && \
pppoe_proto(skb) == htons(PPP_IP) && \
- brnf_filter_pppoe_tagged)
+ brnf_flag(skb, filter_pppoe_tagged))
#define IS_PPPOE_IPV6(skb) \
(skb->protocol == htons(ETH_P_PPP_SES) && \
pppoe_proto(skb) == htons(PPP_IPV6) && \
- brnf_filter_pppoe_tagged)
+ brnf_flag(skb, filter_pppoe_tagged))
static void fake_update_pmtu(struct dst_entry *dst, struct sock *sk,
struct sk_buff *skb, u32 mtu)
@@ -532,7 +541,7 @@ static struct net_device *brnf_get_logical_dev(struct sk_buff *skb, const struct
struct net_device *vlan, *br;
br = bridge_parent(dev);
- if (brnf_pass_vlan_indev == 0 || !vlan_tx_tag_present(skb))
+ if (brnf_flag(skb, pass_vlan_indev) == 0 || !vlan_tx_tag_present(skb))
return br;
vlan = __vlan_find_dev_deep(br, skb->vlan_proto,
@@ -690,14 +699,14 @@ static unsigned int br_nf_pre_routing(const struct nf_hook_ops *ops,
br = p->br;
if (IS_IPV6(skb) || IS_VLAN_IPV6(skb) || IS_PPPOE_IPV6(skb)) {
- if (!brnf_call_ip6tables && !br->nf_call_ip6tables)
+ if (!brnf_flag(skb, call_ip6tables) && !br->nf_call_ip6tables)
return NF_ACCEPT;
nf_bridge_pull_encap_header_rcsum(skb);
return br_nf_pre_routing_ipv6(ops, skb, in, out, okfn);
}
- if (!brnf_call_iptables && !br->nf_call_iptables)
+ if (!brnf_flag(skb, call_iptables) && !br->nf_call_iptables)
return NF_ACCEPT;
if (!IS_IP(skb) && !IS_VLAN_IP(skb) && !IS_PPPOE_IP(skb))
@@ -838,7 +847,7 @@ static unsigned int br_nf_forward_arp(const struct nf_hook_ops *ops,
return NF_ACCEPT;
br = p->br;
- if (!brnf_call_arptables && !br->nf_call_arptables)
+ if (!brnf_flag(skb, call_arptables) && !br->nf_call_arptables)
return NF_ACCEPT;
if (!IS_ARP(skb)) {
@@ -1015,42 +1024,42 @@ int brnf_sysctl_call_tables(struct ctl_table *ctl, int write,
static struct ctl_table brnf_table[] = {
{
.procname = "bridge-nf-call-arptables",
- .data = &brnf_call_arptables,
+ .data = &init_brnf_net.call_arptables,
.maxlen = sizeof(int),
.mode = 0644,
.proc_handler = brnf_sysctl_call_tables,
},
{
.procname = "bridge-nf-call-iptables",
- .data = &brnf_call_iptables,
+ .data = &init_brnf_net.call_iptables,
.maxlen = sizeof(int),
.mode = 0644,
.proc_handler = brnf_sysctl_call_tables,
},
{
.procname = "bridge-nf-call-ip6tables",
- .data = &brnf_call_ip6tables,
+ .data = &init_brnf_net.call_ip6tables,
.maxlen = sizeof(int),
.mode = 0644,
.proc_handler = brnf_sysctl_call_tables,
},
{
.procname = "bridge-nf-filter-vlan-tagged",
- .data = &brnf_filter_vlan_tagged,
+ .data = &init_brnf_net.filter_vlan_tagged,
.maxlen = sizeof(int),
.mode = 0644,
.proc_handler = brnf_sysctl_call_tables,
},
{
.procname = "bridge-nf-filter-pppoe-tagged",
- .data = &brnf_filter_pppoe_tagged,
+ .data = &init_brnf_net.filter_pppoe_tagged,
.maxlen = sizeof(int),
.mode = 0644,
.proc_handler = brnf_sysctl_call_tables,
},
{
.procname = "bridge-nf-pass-vlan-input-dev",
- .data = &brnf_pass_vlan_indev,
+ .data = &init_brnf_net.pass_vlan_indev,
.maxlen = sizeof(int),
.mode = 0644,
.proc_handler = brnf_sysctl_call_tables,
diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
index 06811d7..25a785e 100644
--- a/net/bridge/br_private.h
+++ b/net/bridge/br_private.h
@@ -312,6 +312,19 @@ struct br_input_skb_cb {
# define BR_INPUT_SKB_CB_MROUTERS_ONLY(__skb) (0)
#endif
+#if defined CONFIG_BRIDGE_NETFILTER && defined CONFIG_SYSCTL
+struct brnf_net {
+ struct net *net;
+ struct ctl_table_header *hdr;
+ int call_arptables;
+ int call_iptables;
+ int call_ip6tables;
+ int filter_vlan_tagged;
+ int filter_pppoe_tagged;
+ int pass_vlan_indev;
+};
+#endif
+
#define br_printk(level, br, format, args...) \
printk(level "%s: " format, (br)->dev->name, ##args)
--
1.7.5.4
^ permalink raw reply related [flat|nested] 32+ messages in thread
* [PATCH RFC v3 2/2] br_netfilter: per-netns copy of structure for sysctl flags
[not found] ` <cover.1399909529.git.vvs@openvz.org>
2014-05-12 16:31 ` [PATCH RFC v3 1/2] br_netfilter: common structure for sysctl flags Vasily Averin
@ 2014-05-12 16:32 ` Vasily Averin
2014-05-12 19:04 ` Bart De Schuymer
1 sibling, 1 reply; 32+ messages in thread
From: Vasily Averin @ 2014-05-12 16:32 UTC (permalink / raw)
To: Bart De Schuymer, Patrick McHardy
Cc: Florian Westphal, netfilter-devel, Pablo Neira Ayuso
pernet_operations creates per-netns copy of common structure for sysctl flags
and initialize it values taken from init_brnf_net.
Signed-off-by: Vasily Averin <vvs@openvz.org>
---
net/bridge/br_netfilter.c | 104 +++++++++++++++++++++++++++++++++++++-------
1 files changed, 87 insertions(+), 17 deletions(-)
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index 31bfd90..9886afc 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -40,6 +40,7 @@
#include "br_private.h"
#ifdef CONFIG_SYSCTL
#include <linux/sysctl.h>
+#include <net/netns/generic.h>
#endif
#define skb_origaddr(skb) (((struct bridge_skb_cb *) \
@@ -47,9 +48,6 @@
#define store_orig_dstaddr(skb) (skb_origaddr(skb) = ip_hdr(skb)->daddr)
#define dnat_took_place(skb) (skb_origaddr(skb) != ip_hdr(skb)->daddr)
-#ifdef CONFIG_SYSCTL
-static struct ctl_table_header *brnf_sysctl_header;
-#endif
#define brnf_call_arptables 1
#define brnf_call_iptables 1
#define brnf_call_ip6tables 1
@@ -58,6 +56,7 @@ static struct ctl_table_header *brnf_sysctl_header;
#define brnf_pass_vlan_indev 0
#ifdef CONFIG_SYSCTL
+static int brnf_net_id __read_mostly;
static struct brnf_net init_brnf_net = {
.hdr = NULL,
.call_arptables = brnf_call_arptables,
@@ -68,7 +67,13 @@ static struct brnf_net init_brnf_net = {
.pass_vlan_indev = brnf_pass_vlan_indev,
};
-#define brnf_flag(skb, flag) init_brnf_net.flag
+static inline struct brnf_net *brnf_net(const struct net *net)
+{
+ return net_generic(net, brnf_net_id);
+}
+
+#define skb_netns(skb) net((skb)->dev)
+#define brnf_flag(skb, flag) brnf_net(skb_netns(skb))->flag
#else
#define brnf_flag(skb, flag) brnf_##flag
#endif
@@ -1066,6 +1071,70 @@ static struct ctl_table brnf_table[] = {
},
{ }
};
+
+static int brnf_sysctl_net_register(struct brnf_net *bn)
+{
+ struct ctl_table *table;
+ struct ctl_table_header *hdr;
+ int i;
+
+ table = brnf_table;
+ if (!net_eq(bn->net, &init_net)) {
+
+ table = kmemdup(table, sizeof(brnf_table), GFP_KERNEL);
+ if (!table)
+ goto err_alloc;
+ }
+ for (i = 0; table[i].data; i++)
+ table[i].data += (char *)bn - (char *)&init_brnf_net;
+
+ hdr = register_net_sysctl(bn->net, "net/bridge", table);
+ if (!hdr)
+ goto err_reg;
+
+ bn->hdr = hdr;
+ return 0;
+
+err_reg:
+ if (!net_eq(bn->net, &init_net))
+ kfree(table);
+err_alloc:
+ return -ENOMEM;
+}
+
+static void brnf_sysctl_net_unregister(struct brnf_net *bn)
+{
+ struct ctl_table *table;
+
+ if (bn->hdr == NULL)
+ return;
+
+ table = bn->hdr->ctl_table_arg;
+ unregister_net_sysctl_table(bn->hdr);
+ if (!net_eq(bn->net, &init_net))
+ kfree(table);
+}
+
+static int __net_init brnf_net_init(struct net *net)
+{
+ struct brnf_net *bn = brnf_net(net);
+
+ memcpy(bn, &init_brnf_net, sizeof(struct brnf_net));
+ bn->net = net;
+ return brnf_sysctl_net_register(bn);
+}
+
+static void __net_exit brnf_net_exit(struct net *net)
+{
+ brnf_sysctl_net_unregister(brnf_net(net));
+}
+
+static struct pernet_operations __net_initdata brnf_net_ops = {
+ .init = brnf_net_init,
+ .exit = brnf_net_exit,
+ .id = &brnf_net_id,
+ .size = sizeof(struct brnf_net),
+};
#endif
int __init br_netfilter_init(void)
@@ -1074,32 +1143,33 @@ int __init br_netfilter_init(void)
ret = dst_entries_init(&fake_dst_ops);
if (ret < 0)
- return ret;
+ goto err_dst;
ret = nf_register_hooks(br_nf_ops, ARRAY_SIZE(br_nf_ops));
- if (ret < 0) {
- dst_entries_destroy(&fake_dst_ops);
- return ret;
- }
+ if (ret < 0)
+ goto err_nf;
+
#ifdef CONFIG_SYSCTL
- brnf_sysctl_header = register_net_sysctl(&init_net, "net/bridge", brnf_table);
- if (brnf_sysctl_header == NULL) {
- printk(KERN_WARNING
- "br_netfilter: can't register to sysctl.\n");
+ ret = register_pernet_subsys(&brnf_net_ops);
+ if (ret < 0) {
nf_unregister_hooks(br_nf_ops, ARRAY_SIZE(br_nf_ops));
- dst_entries_destroy(&fake_dst_ops);
- return -ENOMEM;
+ goto err_nf;
}
#endif
printk(KERN_NOTICE "Bridge firewalling registered\n");
return 0;
+
+err_nf:
+ dst_entries_destroy(&fake_dst_ops);
+err_dst:
+ return ret;
}
void br_netfilter_fini(void)
{
- nf_unregister_hooks(br_nf_ops, ARRAY_SIZE(br_nf_ops));
#ifdef CONFIG_SYSCTL
- unregister_net_sysctl_table(brnf_sysctl_header);
+ unregister_pernet_subsys(&brnf_net_ops);
#endif
+ nf_unregister_hooks(br_nf_ops, ARRAY_SIZE(br_nf_ops));
dst_entries_destroy(&fake_dst_ops);
}
--
1.7.5.4
^ permalink raw reply related [flat|nested] 32+ messages in thread
* Re: [PATCH RFC v3 2/2] br_netfilter: per-netns copy of structure for sysctl flags
2014-05-12 16:32 ` [PATCH RFC v3 2/2] br_netfilter: per-netns copy of " Vasily Averin
@ 2014-05-12 19:04 ` Bart De Schuymer
2014-05-12 20:11 ` Vasily Averin
0 siblings, 1 reply; 32+ messages in thread
From: Bart De Schuymer @ 2014-05-12 19:04 UTC (permalink / raw)
To: Vasily Averin, Patrick McHardy
Cc: Florian Westphal, netfilter-devel, Pablo Neira Ayuso
Vasily Averin schreef op 12/05/2014 18:32:
> pernet_operations creates per-netns copy of common structure for sysctl flags
> and initialize it values taken from init_brnf_net.
>
> Signed-off-by: Vasily Averin <vvs@openvz.org>
> +static int __net_init brnf_net_init(struct net *net)
> +{
> + struct brnf_net *bn = brnf_net(net);
> +
> + memcpy(bn, &init_brnf_net, sizeof(struct brnf_net));
> + bn->net = net;
> + return brnf_sysctl_net_register(bn);
This does introduce a bit of backwards incompatibility (easily fixed by
adapting scripts), but this is really unavoidable when transforming an
existing global configuration to a per-netns configuration. I'm ok with it.
cheers,
Bart
^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [PATCH RFC v3 2/2] br_netfilter: per-netns copy of structure for sysctl flags
2014-05-12 19:04 ` Bart De Schuymer
@ 2014-05-12 20:11 ` Vasily Averin
2014-05-13 19:28 ` Bart De Schuymer
0 siblings, 1 reply; 32+ messages in thread
From: Vasily Averin @ 2014-05-12 20:11 UTC (permalink / raw)
To: Bart De Schuymer
Cc: Patrick McHardy, Florian Westphal, netfilter-devel, Pablo Neira Ayuso
On 05/12/2014 11:04 PM, Bart De Schuymer wrote:
> Vasily Averin schreef op 12/05/2014 18:32:
>> pernet_operations creates per-netns copy of common structure for sysctl flags
>> and initialize it values taken from init_brnf_net.
>>
>> Signed-off-by: Vasily Averin <vvs@openvz.org>
>
>> +static int __net_init brnf_net_init(struct net *net)
>> +{
>> + struct brnf_net *bn = brnf_net(net);
>> +
>> + memcpy(bn, &init_brnf_net, sizeof(struct brnf_net));
>> + bn->net = net;
>> + return brnf_sysctl_net_register(bn);
>
> This does introduce a bit of backwards incompatibility (easily fixed
> by adapting scripts), but this is really unavoidable when
> transforming an existing global configuration to a per-netns
> configuration. I'm ok with it.
Could you please explain, which backward incompatibility you mean here?
Nobody changes values init_brnf_net,
init_net have own copy, like any other network namespaces.
^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [PATCH RFC v3 2/2] br_netfilter: per-netns copy of structure for sysctl flags
2014-05-12 20:11 ` Vasily Averin
@ 2014-05-13 19:28 ` Bart De Schuymer
[not found] ` <53727246.4050306-LPO8gxj9N8aZIoH1IeqzKA@public.gmane.org>
0 siblings, 1 reply; 32+ messages in thread
From: Bart De Schuymer @ 2014-05-13 19:28 UTC (permalink / raw)
To: Vasily Averin
Cc: Patrick McHardy, Florian Westphal, netfilter-devel, Pablo Neira Ayuso
Vasily Averin schreef op 12/05/2014 22:11:
> On 05/12/2014 11:04 PM, Bart De Schuymer wrote:
>> Vasily Averin schreef op 12/05/2014 18:32:
>>> pernet_operations creates per-netns copy of common structure for sysctl flags
>>> and initialize it values taken from init_brnf_net.
>>>
>>> Signed-off-by: Vasily Averin <vvs@openvz.org>
>>
>>> +static int __net_init brnf_net_init(struct net *net)
>>> +{
>>> + struct brnf_net *bn = brnf_net(net);
>>> +
>>> + memcpy(bn, &init_brnf_net, sizeof(struct brnf_net));
>>> + bn->net = net;
>>> + return brnf_sysctl_net_register(bn);
>>
>> This does introduce a bit of backwards incompatibility (easily fixed
>> by adapting scripts), but this is really unavoidable when
>> transforming an existing global configuration to a per-netns
>> configuration. I'm ok with it.
>
> Could you please explain, which backward incompatibility you mean here?
> Nobody changes values init_brnf_net,
> init_net have own copy, like any other network namespaces.
Well, init_brnf_net is never written to, so it keeps the default flags.
If a new netns is created, a copy of the contents of init_brnf_net is
made. So, whenever a netns is created, it starts with the default flags
(e.g. brnf_call_iptables is always 1 for a newly created netns).
In the current kernel, when a new netns is created, the configuration of
the main netns is used (the proc system doesn't even show the flags in
the created netns): if brnf_call_iptables is 0 before the new netns is
created, iptables won't see bridged IP traffic in the new netns.
With your patch, this behaviour will change.
It's possible to alter your patch to keep the same behaviour as before
at netns creation, but always starting from the same defaults is cleaner.
cheers,
Bart
^ permalink raw reply [flat|nested] 32+ messages in thread
* [PATCH RFC v2 03/11] br_netfilter: brnf_flag macro
[not found] ` <cover.1399897184.git.vvs@openvz.org>
2014-05-12 12:56 ` [PATCH RFC v2 01/11] br_netfilter: brnf_net structure for sysctl setting Vasily Averin
2014-05-12 12:56 ` [PATCH RFC v2 02/11] br_netfilter: default sysctl settings in init_brnf_net Vasily Averin
@ 2014-05-12 12:57 ` Vasily Averin
2014-05-12 12:57 ` [PATCH RFC v2 04/11] br_netfilter: switch sysctl call_arptables to init_brnf_net Vasily Averin
` (7 subsequent siblings)
10 siblings, 0 replies; 32+ messages in thread
From: Vasily Averin @ 2014-05-12 12:57 UTC (permalink / raw)
To: Bart De Schuymer
Cc: Florian Westphal, netfilter-devel, Patrick McHardy, Pablo Neira Ayuso
Signed-off-by: Vasily Averin <vvs@openvz.org>
---
net/bridge/br_netfilter.c | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index 3e81fd6..e70cbd1 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -76,6 +76,12 @@ static struct brnf_net init_brnf_net = {
};
#endif
+#ifdef CONFIG_SYSCTL
+#define brnf_flag(skb, flag) init_brnf_net.flag
+#else
+#define brnf_flag(skb, flag) brnf_##flag
+#endif
+
#define IS_IP(skb) \
(!vlan_tx_tag_present(skb) && skb->protocol == htons(ETH_P_IP))
--
1.7.5.4
^ permalink raw reply related [flat|nested] 32+ messages in thread
* [PATCH RFC v2 04/11] br_netfilter: switch sysctl call_arptables to init_brnf_net
[not found] ` <cover.1399897184.git.vvs@openvz.org>
` (2 preceding siblings ...)
2014-05-12 12:57 ` [PATCH RFC v2 03/11] br_netfilter: brnf_flag macro Vasily Averin
@ 2014-05-12 12:57 ` Vasily Averin
2014-05-12 12:57 ` [PATCH RFC v2 05/11] br_netfilter: switch sysctls call_iptables and call_ip6tables " Vasily Averin
` (6 subsequent siblings)
10 siblings, 0 replies; 32+ messages in thread
From: Vasily Averin @ 2014-05-12 12:57 UTC (permalink / raw)
To: Bart De Schuymer
Cc: Florian Westphal, netfilter-devel, Patrick McHardy, Pablo Neira Ayuso
Signed-off-by: Vasily Averin <vvs@openvz.org>
---
net/bridge/br_netfilter.c | 7 +++----
1 files changed, 3 insertions(+), 4 deletions(-)
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index e70cbd1..bd0746c 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -51,18 +51,17 @@
static struct ctl_table_header *brnf_sysctl_header;
static int brnf_call_iptables __read_mostly = 1;
static int brnf_call_ip6tables __read_mostly = 1;
-static int brnf_call_arptables __read_mostly = 1;
static int brnf_filter_vlan_tagged __read_mostly = 0;
static int brnf_filter_pppoe_tagged __read_mostly = 0;
static int brnf_pass_vlan_indev __read_mostly = 0;
#else
#define brnf_call_iptables 1
#define brnf_call_ip6tables 1
-#define brnf_call_arptables 1
#define brnf_filter_vlan_tagged 0
#define brnf_filter_pppoe_tagged 0
#define brnf_pass_vlan_indev 0
#endif
+#define brnf_call_arptables 1
#ifdef CONFIG_SYSCTL
static struct brnf_net init_brnf_net = {
@@ -856,7 +855,7 @@ static unsigned int br_nf_forward_arp(const struct nf_hook_ops *ops,
return NF_ACCEPT;
br = p->br;
- if (!brnf_call_arptables && !br->nf_call_arptables)
+ if (!brnf_flag(skb, call_arptables) && !br->nf_call_arptables)
return NF_ACCEPT;
if (!IS_ARP(skb)) {
@@ -1033,7 +1032,7 @@ int brnf_sysctl_call_tables(struct ctl_table *ctl, int write,
static struct ctl_table brnf_table[] = {
{
.procname = "bridge-nf-call-arptables",
- .data = &brnf_call_arptables,
+ .data = &init_brnf_net.call_arptables,
.maxlen = sizeof(int),
.mode = 0644,
.proc_handler = brnf_sysctl_call_tables,
--
1.7.5.4
^ permalink raw reply related [flat|nested] 32+ messages in thread
* [PATCH RFC v2 05/11] br_netfilter: switch sysctls call_iptables and call_ip6tables to init_brnf_net
[not found] ` <cover.1399897184.git.vvs@openvz.org>
` (3 preceding siblings ...)
2014-05-12 12:57 ` [PATCH RFC v2 04/11] br_netfilter: switch sysctl call_arptables to init_brnf_net Vasily Averin
@ 2014-05-12 12:57 ` Vasily Averin
2014-05-12 12:57 ` [PATCH RFC v2 06/11] br_netfilter: switch sysctl filter_vlan_tagged " Vasily Averin
` (5 subsequent siblings)
10 siblings, 0 replies; 32+ messages in thread
From: Vasily Averin @ 2014-05-12 12:57 UTC (permalink / raw)
To: Bart De Schuymer
Cc: Florian Westphal, netfilter-devel, Patrick McHardy, Pablo Neira Ayuso
Signed-off-by: Vasily Averin <vvs@openvz.org>
---
net/bridge/br_netfilter.c | 14 ++++++--------
1 files changed, 6 insertions(+), 8 deletions(-)
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index bd0746c..f34ed89 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -49,19 +49,17 @@
#ifdef CONFIG_SYSCTL
static struct ctl_table_header *brnf_sysctl_header;
-static int brnf_call_iptables __read_mostly = 1;
-static int brnf_call_ip6tables __read_mostly = 1;
static int brnf_filter_vlan_tagged __read_mostly = 0;
static int brnf_filter_pppoe_tagged __read_mostly = 0;
static int brnf_pass_vlan_indev __read_mostly = 0;
#else
-#define brnf_call_iptables 1
-#define brnf_call_ip6tables 1
#define brnf_filter_vlan_tagged 0
#define brnf_filter_pppoe_tagged 0
#define brnf_pass_vlan_indev 0
#endif
#define brnf_call_arptables 1
+#define brnf_call_iptables 1
+#define brnf_call_ip6tables 1
#ifdef CONFIG_SYSCTL
static struct brnf_net init_brnf_net = {
@@ -707,14 +705,14 @@ static unsigned int br_nf_pre_routing(const struct nf_hook_ops *ops,
br = p->br;
if (IS_IPV6(skb) || IS_VLAN_IPV6(skb) || IS_PPPOE_IPV6(skb)) {
- if (!brnf_call_ip6tables && !br->nf_call_ip6tables)
+ if (!brnf_flag(skb, call_ip6tables) && !br->nf_call_ip6tables)
return NF_ACCEPT;
nf_bridge_pull_encap_header_rcsum(skb);
return br_nf_pre_routing_ipv6(ops, skb, in, out, okfn);
}
- if (!brnf_call_iptables && !br->nf_call_iptables)
+ if (!brnf_flag(skb, call_iptables) && !br->nf_call_iptables)
return NF_ACCEPT;
if (!IS_IP(skb) && !IS_VLAN_IP(skb) && !IS_PPPOE_IP(skb))
@@ -1039,14 +1037,14 @@ static struct ctl_table brnf_table[] = {
},
{
.procname = "bridge-nf-call-iptables",
- .data = &brnf_call_iptables,
+ .data = &init_brnf_net.call_iptables,
.maxlen = sizeof(int),
.mode = 0644,
.proc_handler = brnf_sysctl_call_tables,
},
{
.procname = "bridge-nf-call-ip6tables",
- .data = &brnf_call_ip6tables,
+ .data = &init_brnf_net.call_ip6tables,
.maxlen = sizeof(int),
.mode = 0644,
.proc_handler = brnf_sysctl_call_tables,
--
1.7.5.4
^ permalink raw reply related [flat|nested] 32+ messages in thread
* [PATCH RFC v2 06/11] br_netfilter: switch sysctl filter_vlan_tagged to init_brnf_net
[not found] ` <cover.1399897184.git.vvs@openvz.org>
` (4 preceding siblings ...)
2014-05-12 12:57 ` [PATCH RFC v2 05/11] br_netfilter: switch sysctls call_iptables and call_ip6tables " Vasily Averin
@ 2014-05-12 12:57 ` Vasily Averin
2014-05-12 12:57 ` [PATCH RFC v2 07/11] br_netfilter: switch sysctl filter_pppoe_tagged " Vasily Averin
` (4 subsequent siblings)
10 siblings, 0 replies; 32+ messages in thread
From: Vasily Averin @ 2014-05-12 12:57 UTC (permalink / raw)
To: Bart De Schuymer
Cc: Florian Westphal, netfilter-devel, Patrick McHardy, Pablo Neira Ayuso
Signed-off-by: Vasily Averin <vvs@openvz.org>
---
net/bridge/br_netfilter.c | 11 +++++------
1 files changed, 5 insertions(+), 6 deletions(-)
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index f34ed89..a3cd03d 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -49,17 +49,16 @@
#ifdef CONFIG_SYSCTL
static struct ctl_table_header *brnf_sysctl_header;
-static int brnf_filter_vlan_tagged __read_mostly = 0;
static int brnf_filter_pppoe_tagged __read_mostly = 0;
static int brnf_pass_vlan_indev __read_mostly = 0;
#else
-#define brnf_filter_vlan_tagged 0
#define brnf_filter_pppoe_tagged 0
#define brnf_pass_vlan_indev 0
#endif
#define brnf_call_arptables 1
#define brnf_call_iptables 1
#define brnf_call_ip6tables 1
+#define brnf_filter_vlan_tagged 0
#ifdef CONFIG_SYSCTL
static struct brnf_net init_brnf_net = {
@@ -100,15 +99,15 @@ static inline __be16 vlan_proto(const struct sk_buff *skb)
#define IS_VLAN_IP(skb) \
(vlan_proto(skb) == htons(ETH_P_IP) && \
- brnf_filter_vlan_tagged)
+ brnf_flag(skb, filter_vlan_tagged))
#define IS_VLAN_IPV6(skb) \
(vlan_proto(skb) == htons(ETH_P_IPV6) && \
- brnf_filter_vlan_tagged)
+ brnf_flag(skb, filter_vlan_tagged))
#define IS_VLAN_ARP(skb) \
(vlan_proto(skb) == htons(ETH_P_ARP) && \
- brnf_filter_vlan_tagged)
+ brnf_flag(skb, filter_vlan_tagged))
static inline __be16 pppoe_proto(const struct sk_buff *skb)
{
@@ -1051,7 +1050,7 @@ static struct ctl_table brnf_table[] = {
},
{
.procname = "bridge-nf-filter-vlan-tagged",
- .data = &brnf_filter_vlan_tagged,
+ .data = &init_brnf_net.filter_vlan_tagged,
.maxlen = sizeof(int),
.mode = 0644,
.proc_handler = brnf_sysctl_call_tables,
--
1.7.5.4
^ permalink raw reply related [flat|nested] 32+ messages in thread
* [PATCH RFC v2 07/11] br_netfilter: switch sysctl filter_pppoe_tagged to init_brnf_net
[not found] ` <cover.1399897184.git.vvs@openvz.org>
` (5 preceding siblings ...)
2014-05-12 12:57 ` [PATCH RFC v2 06/11] br_netfilter: switch sysctl filter_vlan_tagged " Vasily Averin
@ 2014-05-12 12:57 ` Vasily Averin
2014-05-12 12:57 ` [PATCH RFC v2 08/11] br_netfilter: switch sysctl pass_vlan_indev " Vasily Averin
` (3 subsequent siblings)
10 siblings, 0 replies; 32+ messages in thread
From: Vasily Averin @ 2014-05-12 12:57 UTC (permalink / raw)
To: Bart De Schuymer
Cc: Florian Westphal, netfilter-devel, Patrick McHardy, Pablo Neira Ayuso
Signed-off-by: Vasily Averin <vvs@openvz.org>
---
net/bridge/br_netfilter.c | 9 ++++-----
1 files changed, 4 insertions(+), 5 deletions(-)
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index a3cd03d..ae970ff 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -49,16 +49,15 @@
#ifdef CONFIG_SYSCTL
static struct ctl_table_header *brnf_sysctl_header;
-static int brnf_filter_pppoe_tagged __read_mostly = 0;
static int brnf_pass_vlan_indev __read_mostly = 0;
#else
-#define brnf_filter_pppoe_tagged 0
#define brnf_pass_vlan_indev 0
#endif
#define brnf_call_arptables 1
#define brnf_call_iptables 1
#define brnf_call_ip6tables 1
#define brnf_filter_vlan_tagged 0
+#define brnf_filter_pppoe_tagged 0
#ifdef CONFIG_SYSCTL
static struct brnf_net init_brnf_net = {
@@ -118,12 +117,12 @@ static inline __be16 pppoe_proto(const struct sk_buff *skb)
#define IS_PPPOE_IP(skb) \
(skb->protocol == htons(ETH_P_PPP_SES) && \
pppoe_proto(skb) == htons(PPP_IP) && \
- brnf_filter_pppoe_tagged)
+ brnf_flag(skb, filter_pppoe_tagged))
#define IS_PPPOE_IPV6(skb) \
(skb->protocol == htons(ETH_P_PPP_SES) && \
pppoe_proto(skb) == htons(PPP_IPV6) && \
- brnf_filter_pppoe_tagged)
+ brnf_flag(skb, filter_pppoe_tagged))
static void fake_update_pmtu(struct dst_entry *dst, struct sock *sk,
struct sk_buff *skb, u32 mtu)
@@ -1057,7 +1056,7 @@ static struct ctl_table brnf_table[] = {
},
{
.procname = "bridge-nf-filter-pppoe-tagged",
- .data = &brnf_filter_pppoe_tagged,
+ .data = &init_brnf_net.filter_pppoe_tagged,
.maxlen = sizeof(int),
.mode = 0644,
.proc_handler = brnf_sysctl_call_tables,
--
1.7.5.4
^ permalink raw reply related [flat|nested] 32+ messages in thread
* [PATCH RFC v2 08/11] br_netfilter: switch sysctl pass_vlan_indev to init_brnf_net
[not found] ` <cover.1399897184.git.vvs@openvz.org>
` (6 preceding siblings ...)
2014-05-12 12:57 ` [PATCH RFC v2 07/11] br_netfilter: switch sysctl filter_pppoe_tagged " Vasily Averin
@ 2014-05-12 12:57 ` Vasily Averin
2014-05-12 12:57 ` [PATCH RFC v2 09/11] br_netfilter: added pernet_operations without sysctl registration Vasily Averin
` (2 subsequent siblings)
10 siblings, 0 replies; 32+ messages in thread
From: Vasily Averin @ 2014-05-12 12:57 UTC (permalink / raw)
To: Bart De Schuymer
Cc: Florian Westphal, netfilter-devel, Patrick McHardy, Pablo Neira Ayuso
Signed-off-by: Vasily Averin <vvs@openvz.org>
---
net/bridge/br_netfilter.c | 8 +++-----
1 files changed, 3 insertions(+), 5 deletions(-)
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index ae970ff..55794c4 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -49,15 +49,13 @@
#ifdef CONFIG_SYSCTL
static struct ctl_table_header *brnf_sysctl_header;
-static int brnf_pass_vlan_indev __read_mostly = 0;
-#else
-#define brnf_pass_vlan_indev 0
#endif
#define brnf_call_arptables 1
#define brnf_call_iptables 1
#define brnf_call_ip6tables 1
#define brnf_filter_vlan_tagged 0
#define brnf_filter_pppoe_tagged 0
+#define brnf_pass_vlan_indev 0
#ifdef CONFIG_SYSCTL
static struct brnf_net init_brnf_net = {
@@ -545,7 +543,7 @@ static struct net_device *brnf_get_logical_dev(struct sk_buff *skb, const struct
struct net_device *vlan, *br;
br = bridge_parent(dev);
- if (brnf_pass_vlan_indev == 0 || !vlan_tx_tag_present(skb))
+ if (brnf_flag(skb, pass_vlan_indev) == 0 || !vlan_tx_tag_present(skb))
return br;
vlan = __vlan_find_dev_deep(br, skb->vlan_proto,
@@ -1063,7 +1061,7 @@ static struct ctl_table brnf_table[] = {
},
{
.procname = "bridge-nf-pass-vlan-input-dev",
- .data = &brnf_pass_vlan_indev,
+ .data = &init_brnf_net.pass_vlan_indev,
.maxlen = sizeof(int),
.mode = 0644,
.proc_handler = brnf_sysctl_call_tables,
--
1.7.5.4
^ permalink raw reply related [flat|nested] 32+ messages in thread
* [PATCH RFC v2 09/11] br_netfilter: added pernet_operations without sysctl registration
[not found] ` <cover.1399897184.git.vvs@openvz.org>
` (7 preceding siblings ...)
2014-05-12 12:57 ` [PATCH RFC v2 08/11] br_netfilter: switch sysctl pass_vlan_indev " Vasily Averin
@ 2014-05-12 12:57 ` Vasily Averin
2014-05-12 12:58 ` [PATCH RFC v2 10/11] br_netfilter: per-netns " Vasily Averin
2014-05-12 12:58 ` [PATCH RFC v2 11/11] br_netfilter: switch all sysctls to per-netns processing Vasily Averin
10 siblings, 0 replies; 32+ messages in thread
From: Vasily Averin @ 2014-05-12 12:57 UTC (permalink / raw)
To: Bart De Schuymer
Cc: Florian Westphal, netfilter-devel, Patrick McHardy, Pablo Neira Ayuso
added registration of per-netns operation without sysctl registration
also reworked rollback in br_netfilter_init()
Signed-off-by: Vasily Averin <vvs@openvz.org>
---
net/bridge/br_netfilter.c | 50 +++++++++++++++++++++++++++++++++++++++-----
1 files changed, 44 insertions(+), 6 deletions(-)
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index 55794c4..a079c06 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -40,6 +40,7 @@
#include "br_private.h"
#ifdef CONFIG_SYSCTL
#include <linux/sysctl.h>
+#include <net/netns/generic.h>
#endif
#define skb_origaddr(skb) (((struct bridge_skb_cb *) \
@@ -58,6 +59,7 @@ static struct ctl_table_header *brnf_sysctl_header;
#define brnf_pass_vlan_indev 0
#ifdef CONFIG_SYSCTL
+static int brnf_net_id __read_mostly;
static struct brnf_net init_brnf_net = {
.hdr = NULL,
.call_arptables = brnf_call_arptables,
@@ -67,6 +69,11 @@ static struct brnf_net init_brnf_net = {
.filter_pppoe_tagged = brnf_filter_pppoe_tagged,
.pass_vlan_indev = brnf_pass_vlan_indev,
};
+
+static inline struct brnf_net *brnf_net(const struct net *net)
+{
+ return net_generic(net, brnf_net_id);
+}
#endif
#ifdef CONFIG_SYSCTL
@@ -1068,6 +1075,26 @@ static struct ctl_table brnf_table[] = {
},
{ }
};
+
+static int __net_init brnf_net_init(struct net *net)
+{
+ struct brnf_net *bn = brnf_net(net);
+
+ memcpy(bn, &init_brnf_net, sizeof(struct brnf_net));
+ bn->net = net;
+ return 0;
+}
+
+static void __net_exit brnf_net_exit(struct net *net)
+{
+}
+
+static struct pernet_operations __net_initdata brnf_net_ops = {
+ .init = brnf_net_init,
+ .exit = brnf_net_exit,
+ .id = &brnf_net_id,
+ .size = sizeof(struct brnf_net),
+};
#endif
int __init br_netfilter_init(void)
@@ -1076,13 +1103,12 @@ int __init br_netfilter_init(void)
ret = dst_entries_init(&fake_dst_ops);
if (ret < 0)
- return ret;
+ goto err_dst;
ret = nf_register_hooks(br_nf_ops, ARRAY_SIZE(br_nf_ops));
- if (ret < 0) {
- dst_entries_destroy(&fake_dst_ops);
- return ret;
- }
+ if (ret < 0)
+ goto err_nf;
+
#ifdef CONFIG_SYSCTL
brnf_sysctl_header = register_net_sysctl(&init_net, "net/bridge", brnf_table);
if (brnf_sysctl_header == NULL) {
@@ -1092,16 +1118,28 @@ int __init br_netfilter_init(void)
dst_entries_destroy(&fake_dst_ops);
return -ENOMEM;
}
+ ret = register_pernet_subsys(&brnf_net_ops);
+ if (ret < 0) {
+ unregister_net_sysctl_table(brnf_sysctl_header);
+ nf_unregister_hooks(br_nf_ops, ARRAY_SIZE(br_nf_ops));
+ goto err_nf;
+ }
#endif
printk(KERN_NOTICE "Bridge firewalling registered\n");
return 0;
+
+err_nf:
+ dst_entries_destroy(&fake_dst_ops);
+err_dst:
+ return ret;
}
void br_netfilter_fini(void)
{
- nf_unregister_hooks(br_nf_ops, ARRAY_SIZE(br_nf_ops));
#ifdef CONFIG_SYSCTL
+ unregister_pernet_subsys(&brnf_net_ops);
unregister_net_sysctl_table(brnf_sysctl_header);
#endif
+ nf_unregister_hooks(br_nf_ops, ARRAY_SIZE(br_nf_ops));
dst_entries_destroy(&fake_dst_ops);
}
--
1.7.5.4
^ permalink raw reply related [flat|nested] 32+ messages in thread
* [PATCH RFC v2 10/11] br_netfilter: per-netns sysctl registration
[not found] ` <cover.1399897184.git.vvs@openvz.org>
` (8 preceding siblings ...)
2014-05-12 12:57 ` [PATCH RFC v2 09/11] br_netfilter: added pernet_operations without sysctl registration Vasily Averin
@ 2014-05-12 12:58 ` Vasily Averin
2014-05-12 12:58 ` [PATCH RFC v2 11/11] br_netfilter: switch all sysctls to per-netns processing Vasily Averin
10 siblings, 0 replies; 32+ messages in thread
From: Vasily Averin @ 2014-05-12 12:58 UTC (permalink / raw)
To: Bart De Schuymer
Cc: Florian Westphal, netfilter-devel, Patrick McHardy, Pablo Neira Ayuso
Signed-off-by: Vasily Averin <vvs@openvz.org>
---
net/bridge/br_netfilter.c | 56 +++++++++++++++++++++++++++++++++-----------
1 files changed, 42 insertions(+), 14 deletions(-)
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index a079c06..ed3b6ce 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -48,9 +48,6 @@
#define store_orig_dstaddr(skb) (skb_origaddr(skb) = ip_hdr(skb)->daddr)
#define dnat_took_place(skb) (skb_origaddr(skb) != ip_hdr(skb)->daddr)
-#ifdef CONFIG_SYSCTL
-static struct ctl_table_header *brnf_sysctl_header;
-#endif
#define brnf_call_arptables 1
#define brnf_call_iptables 1
#define brnf_call_ip6tables 1
@@ -1076,17 +1073,58 @@ static struct ctl_table brnf_table[] = {
{ }
};
+static int brnf_sysctl_net_register(struct brnf_net *bn)
+{
+ struct ctl_table *table;
+ struct ctl_table_header *hdr;
+ int i;
+
+ table = brnf_table;
+ if (!net_eq(bn->net, &init_net)) {
+
+ table = kmemdup(table, sizeof(brnf_table), GFP_KERNEL);
+ if (!table)
+ goto err_alloc;
+ }
+ hdr = register_net_sysctl(bn->net, "net/bridge", table);
+ if (!hdr)
+ goto err_reg;
+
+ bn->hdr = hdr;
+ return 0;
+
+err_reg:
+ if (!net_eq(bn->net, &init_net))
+ kfree(table);
+err_alloc:
+ return -ENOMEM;
+}
+
+static void brnf_sysctl_net_unregister(struct brnf_net *bn)
+{
+ struct ctl_table *table;
+
+ if (bn->hdr == NULL)
+ return;
+
+ table = bn->hdr->ctl_table_arg;
+ unregister_net_sysctl_table(bn->hdr);
+ if (!net_eq(bn->net, &init_net))
+ kfree(table);
+}
+
static int __net_init brnf_net_init(struct net *net)
{
struct brnf_net *bn = brnf_net(net);
memcpy(bn, &init_brnf_net, sizeof(struct brnf_net));
bn->net = net;
- return 0;
+ return brnf_sysctl_net_register(bn);
}
static void __net_exit brnf_net_exit(struct net *net)
{
+ brnf_sysctl_net_unregister(brnf_net(net));
}
static struct pernet_operations __net_initdata brnf_net_ops = {
@@ -1110,17 +1148,8 @@ int __init br_netfilter_init(void)
goto err_nf;
#ifdef CONFIG_SYSCTL
- brnf_sysctl_header = register_net_sysctl(&init_net, "net/bridge", brnf_table);
- if (brnf_sysctl_header == NULL) {
- printk(KERN_WARNING
- "br_netfilter: can't register to sysctl.\n");
- nf_unregister_hooks(br_nf_ops, ARRAY_SIZE(br_nf_ops));
- dst_entries_destroy(&fake_dst_ops);
- return -ENOMEM;
- }
ret = register_pernet_subsys(&brnf_net_ops);
if (ret < 0) {
- unregister_net_sysctl_table(brnf_sysctl_header);
nf_unregister_hooks(br_nf_ops, ARRAY_SIZE(br_nf_ops));
goto err_nf;
}
@@ -1138,7 +1167,6 @@ void br_netfilter_fini(void)
{
#ifdef CONFIG_SYSCTL
unregister_pernet_subsys(&brnf_net_ops);
- unregister_net_sysctl_table(brnf_sysctl_header);
#endif
nf_unregister_hooks(br_nf_ops, ARRAY_SIZE(br_nf_ops));
dst_entries_destroy(&fake_dst_ops);
--
1.7.5.4
^ permalink raw reply related [flat|nested] 32+ messages in thread
* [PATCH RFC v2 11/11] br_netfilter: switch all sysctls to per-netns processing
[not found] ` <cover.1399897184.git.vvs@openvz.org>
` (9 preceding siblings ...)
2014-05-12 12:58 ` [PATCH RFC v2 10/11] br_netfilter: per-netns " Vasily Averin
@ 2014-05-12 12:58 ` Vasily Averin
10 siblings, 0 replies; 32+ messages in thread
From: Vasily Averin @ 2014-05-12 12:58 UTC (permalink / raw)
To: Bart De Schuymer
Cc: Florian Westphal, netfilter-devel, Patrick McHardy, Pablo Neira Ayuso
Signed-off-by: Vasily Averin <vvs@openvz.org>
---
net/bridge/br_netfilter.c | 8 +++++---
1 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index ed3b6ce..f4b6b43 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -71,10 +71,9 @@ static inline struct brnf_net *brnf_net(const struct net *net)
{
return net_generic(net, brnf_net_id);
}
-#endif
-#ifdef CONFIG_SYSCTL
-#define brnf_flag(skb, flag) init_brnf_net.flag
+#define skb_netns(skb) dev_net((skb)->dev)
+#define brnf_flag(skb, flag) brnf_net(skb_netns(skb))->flag
#else
#define brnf_flag(skb, flag) brnf_##flag
#endif
@@ -1086,6 +1085,9 @@ static int brnf_sysctl_net_register(struct brnf_net *bn)
if (!table)
goto err_alloc;
}
+ for (i = 0; table[i].data; i++)
+ table[i].data += (char *)bn - (char *)&init_brnf_net;
+
hdr = register_net_sysctl(bn->net, "net/bridge", table);
if (!hdr)
goto err_reg;
--
1.7.5.4
^ permalink raw reply related [flat|nested] 32+ messages in thread