diff -ruN linux-2.6.16-openvz-026test015/include/linux/nfcalls.h linux-2.6.16-openvz-026test015-xt_mac/include/linux/nfcalls.h --- linux-2.6.16-openvz-026test015/include/linux/nfcalls.h 2006-08-03 09:44:51.000000000 +0200 +++ linux-2.6.16-openvz-026test015-xt_mac/include/linux/nfcalls.h 2006-08-02 11:35:38.000000000 +0200 @@ -165,6 +165,7 @@ DECL_KSYM_MODULE(ip_nat_ftp); DECL_KSYM_MODULE(ip_nat_irc); DECL_KSYM_MODULE(ipt_REDIRECT); +DECL_KSYM_MODULE(xt_mac); #endif struct sk_buff; @@ -202,6 +203,7 @@ DECL_KSYM_CALL(int, init_iptable_nat_ftp, (void)); DECL_KSYM_CALL(int, init_iptable_nat_irc, (void)); DECL_KSYM_CALL(int, init_iptable_REDIRECT, (void)); +DECL_KSYM_CALL(int, init_xt_mac, (void)); DECL_KSYM_CALL(void, fini_iptable_nat_irc, (void)); DECL_KSYM_CALL(void, fini_iptable_nat_ftp, (void)); DECL_KSYM_CALL(void, fini_iptable_nat, (void)); @@ -235,6 +237,7 @@ DECL_KSYM_CALL(void, fini_xtables, (void)); DECL_KSYM_CALL(void, fini_netfilter, (void)); DECL_KSYM_CALL(void, fini_iptable_REDIRECT, (void)); +DECL_KSYM_CALL(void, fini_xt_mac, (void)); #include diff -ruN linux-2.6.16-openvz-026test015/include/linux/vzcalluser.h linux-2.6.16-openvz-026test015-xt_mac/include/linux/vzcalluser.h --- linux-2.6.16-openvz-026test015/include/linux/vzcalluser.h 2006-08-03 09:44:51.000000000 +0200 +++ linux-2.6.16-openvz-026test015-xt_mac/include/linux/vzcalluser.h 2006-08-03 10:17:20.000000000 +0200 @@ -88,6 +88,7 @@ #define VE_IP_NAT_FTP_MOD (1U<<21) #define VE_IP_NAT_IRC_MOD (1U<<22) #define VE_IP_TARGET_REDIRECT_MOD (1U<<23) +#define VE_IP_MATCH_MAC_MOD (1U<<24) /* these masks represent modules with their dependences */ #define VE_IP_IPTABLES (VE_IP_IPTABLES_MOD) @@ -135,6 +136,8 @@ | VE_IP_NAT | VE_IP_CONNTRACK_IRC) #define VE_IP_TARGET_REDIRECT (VE_IP_TARGET_REDIRECT_MOD \ | VE_IP_NAT) +#define VE_IP_MATCH_MAC (VE_IP_MATCH_MAC_MOD \ + | VE_IP_IPTABLES) /* safe iptables mask to be used by default */ #define VE_IP_DEFAULT \ diff -ruN linux-2.6.16-openvz-026test015/kernel/ve.c linux-2.6.16-openvz-026test015-xt_mac/kernel/ve.c --- linux-2.6.16-openvz-026test015/kernel/ve.c 2006-08-03 09:44:51.000000000 +0200 +++ linux-2.6.16-openvz-026test015-xt_mac/kernel/ve.c 2006-08-02 11:39:17.000000000 +0200 @@ -85,6 +85,7 @@ INIT_KSYM_MODULE(ip_nat_ftp); INIT_KSYM_MODULE(ip_nat_irc); INIT_KSYM_MODULE(ipt_REDIRECT); +INIT_KSYM_MODULE(xt_mac); INIT_KSYM_CALL(int, init_netfilter, (void)); INIT_KSYM_CALL(int, init_xtables, (void)); @@ -119,6 +120,7 @@ INIT_KSYM_CALL(int, init_iptable_nat_ftp, (void)); INIT_KSYM_CALL(int, init_iptable_nat_irc, (void)); INIT_KSYM_CALL(int, init_iptable_REDIRECT, (void)); +INIT_KSYM_CALL(int, init_xt_mac, (void)); INIT_KSYM_CALL(void, fini_iptable_nat_irc, (void)); INIT_KSYM_CALL(void, fini_iptable_nat_ftp, (void)); INIT_KSYM_CALL(void, fini_iptable_nat, (void)); @@ -152,6 +154,7 @@ INIT_KSYM_CALL(void, fini_xtables, (void)); INIT_KSYM_CALL(void, fini_netfilter, (void)); INIT_KSYM_CALL(void, fini_iptable_REDIRECT, (void)); +INIT_KSYM_CALL(void, fini_xt_mac, (void)); INIT_KSYM_CALL(void, ipt_flush_table, (struct xt_table *table)); INIT_KSYM_CALL(void, ip6t_flush_table, (struct xt_table *table)); diff -ruN linux-2.6.16-openvz-026test015/kernel/vecalls.c linux-2.6.16-openvz-026test015-xt_mac/kernel/vecalls.c --- linux-2.6.16-openvz-026test015/kernel/vecalls.c 2006-08-03 09:44:51.000000000 +0200 +++ linux-2.6.16-openvz-026test015-xt_mac/kernel/vecalls.c 2006-08-03 10:15:44.000000000 +0200 @@ -1775,11 +1775,24 @@ if (err < 0) goto err_iptable_REDIRECT; #endif +#if defined(CONFIG_NETFILTER_XT_MATCH_MAC) || \ + defined(CONFIG_NETFILTER_XT_MATCH_MAC_MODULE) + err = KSYMIPTINIT(init_mask, ve, VE_IP_MATCH_MAC, + xt_mac, init_xt_mac, ()); + if (err < 0) + goto err_xt_mac; +#endif return 0; /* ------------------------------------------------------------------------- */ cleanup: +#if defined(CONFIG_NETFILTER_XT_MATCH_MAC) || \ + defined(CONFIG_NETFILTER_XT_MATCH_MAC_MODULE) + KSYMIPTFINI(ve->_iptables_modules, VE_IP_MATCH_MAC, + xt_mac, fini_xt_mac, ()); +err_xt_mac: +#endif #if defined(CONFIG_IP_NF_TARGET_REDIRECT) || \ defined(CONFIG_IP_NF_TARGET_REDIRECT_MODULE) KSYMIPTFINI(ve->_iptables_modules, VE_IP_TARGET_REDIRECT, diff -ruN linux-2.6.16-openvz-026test015/net/netfilter/xt_mac.c linux-2.6.16-openvz-026test015-xt_mac/net/netfilter/xt_mac.c --- linux-2.6.16-openvz-026test015/net/netfilter/xt_mac.c 2006-03-20 06:53:29.000000000 +0100 +++ linux-2.6.16-openvz-026test015-xt_mac/net/netfilter/xt_mac.c 2006-08-03 10:13:33.000000000 +0200 @@ -12,6 +12,7 @@ #include #include #include +#include #include #include @@ -23,6 +24,13 @@ MODULE_ALIAS("ipt_mac"); MODULE_ALIAS("ip6t_mac"); +#ifdef CONFIG_VE_IPTABLES +#include +#define ve_mac_match (*(get_exec_env()->_mac_match)) +#else +#define ve_mac_match mac_match +#endif + static int match(const struct sk_buff *skb, const struct net_device *in, @@ -76,24 +84,47 @@ .me = THIS_MODULE, }; +int init_xt_mac(void) +{ + int ret; + + ret = xt_register_match(AF_INET, &mac_match); + if (ret < 0) + return ret; + + ret = xt_register_match(AF_INET6, &mac6_match); + if (ret < 0) + xt_unregister_match(AF_INET, &mac_match); + + return ret; +} + +void fini_xt_mac(void) +{ + xt_unregister_match(AF_INET, &mac_match); + xt_unregister_match(AF_INET6, &mac6_match); +} + static int __init init(void) { - int ret; - ret = xt_register_match(AF_INET, &mac_match); - if (ret) - return ret; - - ret = xt_register_match(AF_INET6, &mac6_match); - if (ret) - xt_unregister_match(AF_INET, &mac_match); + int err; - return ret; + err = init_xt_mac(); + if (err < 0) + return err; + + KSYMRESOLVE(init_xt_mac); + KSYMRESOLVE(fini_xt_mac); + KSYMMODRESOLVE(xt_mac); + return 0; } static void __exit fini(void) { - xt_unregister_match(AF_INET, &mac_match); - xt_unregister_match(AF_INET6, &mac6_match); + KSYMMODUNRESOLVE(xt_mac); + KSYMUNRESOLVE(init_xt_mac); + KSYMUNRESOLVE(fini_xt_mac); + fini_xt_mac(); } module_init(init);