diff -NurpP --minimal linux-2.6.22.9-vs2.3.0.26.1/include/linux/vs_inet.h linux-2.6.22.9-vs2.3.0.26.2/include/linux/vs_inet.h --- linux-2.6.22.9-vs2.3.0.26.1/include/linux/vs_inet.h 2007-09-18 11:15:32 +0200 +++ linux-2.6.22.9-vs2.3.0.26.2/include/linux/vs_inet.h 2007-10-05 12:09:12 +0200 @@ -56,9 +56,10 @@ int v4_addr_in_nx_info(struct nx_info *n if (!nxi) goto out; - /* allow 127.0.0.1 when remapping lback */ ret = 2; - if ((addr == IPI_LOOPBACK) && + /* allow 127.0.0.1 when remapping lback */ + if ((tmask & NXA_LOOPBACK) && + (addr == IPI_LOOPBACK) && nx_info_flags(nxi, NXF_LBACK_REMAP, 0)) goto out; ret = 3; @@ -122,7 +123,7 @@ int v4_sock_addr_match ( if (addr && (saddr == addr || bcast == addr)) return 1; if (!saddr) - return v4_addr_in_nx_info(nxi, addr, -1); + return v4_addr_in_nx_info(nxi, addr, NXA_MASK_BIND); return 0; } @@ -197,7 +198,7 @@ int v4_ifa_in_nx_info(struct in_ifaddr * return 1; if (!ifa) return 0; - return v4_addr_in_nx_info(nxi, ifa->ifa_local, -1); + return v4_addr_in_nx_info(nxi, ifa->ifa_local, NXA_MASK_SHOW); } static inline @@ -243,7 +244,7 @@ int v4_map_sock_addr(struct inet_sock *i if (nx_info_flags(nxi, NXF_LBACK_REMAP, 0)) baddr = nxi->v4_lback.s_addr; } else { /* normal address bind */ - if (!v4_addr_in_nx_info(nxi, saddr, -1)) + if (!v4_addr_in_nx_info(nxi, saddr, NXA_MASK_BIND)) return -EADDRNOTAVAIL; } } @@ -280,7 +281,7 @@ static inline int v4_inet_addr_match ( if (addr && (saddr == addr)) return 1; if (!saddr) - return nxi ? v4_addr_in_nx_info(nxi, addr, -1) : 1; + return nxi ? v4_addr_in_nx_info(nxi, addr, NXA_MASK_BIND) : 1; return 0; } diff -NurpP --minimal linux-2.6.22.9-vs2.3.0.26.1/include/linux/vserver/network.h linux-2.6.22.9-vs2.3.0.26.2/include/linux/vserver/network.h --- linux-2.6.22.9-vs2.3.0.26.1/include/linux/vserver/network.h 2007-09-18 12:32:20 +0200 +++ linux-2.6.22.9-vs2.3.0.26.2/include/linux/vserver/network.h 2007-10-05 12:05:04 +0200 @@ -58,9 +58,15 @@ static inline uint64_t __nxf_init_set(vo #define NXA_TYPE_MASK 0x0020 #define NXA_TYPE_RANGE 0x0040 +#define NXA_MASK_ALL (NXA_TYPE_ADDR | NXA_TYPE_MASK | NXA_TYPE_RANGE) + #define NXA_MOD_BCAST 0x0100 #define NXA_MOD_LBACK 0x0200 +#define NXA_LOOPBACK 0x1000 + +#define NXA_MASK_BIND (NXA_MASK_ALL | NXA_MOD_BCAST | NXA_MOD_LBACK) +#define NXA_MASK_SHOW (NXA_MASK_ALL | NXA_LOOPBACK) #ifdef __KERNEL__ diff -NurpP --minimal linux-2.6.22.9-vs2.3.0.26.1/kernel/vserver/inet.c linux-2.6.22.9-vs2.3.0.26.2/kernel/vserver/inet.c --- linux-2.6.22.9-vs2.3.0.26.1/kernel/vserver/inet.c 2007-10-01 13:10:13 +0200 +++ linux-2.6.22.9-vs2.3.0.26.2/kernel/vserver/inet.c 2007-10-05 12:09:54 +0200 @@ -74,7 +74,7 @@ int v4_dev_in_nx_info(struct net_device for (ifap = &in_dev->ifa_list; (ifa = *ifap) != NULL; ifap = &ifa->ifa_next) { - if (v4_addr_in_nx_info(nxi, ifa->ifa_local, -1)) { + if (v4_addr_in_nx_info(nxi, ifa->ifa_local, NXA_MASK_SHOW)) { ret = 1; break; } @@ -166,7 +166,7 @@ int ip_v4_find_src(struct nx_info *nxi, vxdprintk(VXD_CBIT(net, 4), "ip_v4_find_src(%p[#%u]) rok[%u]: " NIPQUAD_FMT, nxi, nxi ? nxi->nx_id : 0, fl->oif, NIPQUAD(found)); - if (v4_addr_in_nx_info(nxi, found, -1)) + if (v4_addr_in_nx_info(nxi, found, NXA_MASK_BIND)) goto found; } @@ -202,7 +202,7 @@ int ip_v4_find_src(struct nx_info *nxi, fl->fl4_src = found; } else { - if (!v4_addr_in_nx_info(nxi, fl->fl4_src, -1)) + if (!v4_addr_in_nx_info(nxi, fl->fl4_src, NXA_MASK_BIND)) return -EPERM; } diff -NurpP --minimal linux-2.6.22.9-vs2.3.0.26.1/net/ipv4/inet_connection_sock.c linux-2.6.22.9-vs2.3.0.26.2/net/ipv4/inet_connection_sock.c --- linux-2.6.22.9-vs2.3.0.26.1/net/ipv4/inet_connection_sock.c 2007-08-29 19:52:52 +0200 +++ linux-2.6.22.9-vs2.3.0.26.2/net/ipv4/inet_connection_sock.c 2007-10-05 12:10:17 +0200 @@ -49,12 +49,12 @@ int ipv4_rcv_saddr_equal(const struct so if (sk1_rcv_saddr && !sk2_rcv_saddr && - v4_addr_in_nx_info(sk2->sk_nx_info, sk1_rcv_saddr, -1)) + v4_addr_in_nx_info(sk2->sk_nx_info, sk1_rcv_saddr, NXA_MASK_BIND)) return 1; if (sk2_rcv_saddr && !sk1_rcv_saddr && - v4_addr_in_nx_info(sk1->sk_nx_info, sk2_rcv_saddr, -1)) + v4_addr_in_nx_info(sk1->sk_nx_info, sk2_rcv_saddr, NXA_MASK_BIND)) return 1; if (!sk1_rcv_saddr && diff -NurpP --minimal linux-2.6.22.9-vs2.3.0.26.1/net/ipv4/raw.c linux-2.6.22.9-vs2.3.0.26.2/net/ipv4/raw.c --- linux-2.6.22.9-vs2.3.0.26.1/net/ipv4/raw.c 2007-08-29 21:22:24 +0200 +++ linux-2.6.22.9-vs2.3.0.26.2/net/ipv4/raw.c 2007-10-05 12:10:48 +0200 @@ -317,7 +317,7 @@ static int raw_send_hdrinc(struct sock * err = -EPERM; if (!nx_check(0, VS_ADMIN) && !capable(CAP_NET_RAW) && sk->sk_nx_info && - !v4_addr_in_nx_info(sk->sk_nx_info, iph->saddr, -1)) + !v4_addr_in_nx_info(sk->sk_nx_info, iph->saddr, NXA_MASK_BIND)) goto error_free; err = NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, rt->u.dst.dev, diff -NurpP --minimal linux-2.6.22.9-vs2.3.0.26.1/net/ipv4/udp.c linux-2.6.22.9-vs2.3.0.26.2/net/ipv4/udp.c --- linux-2.6.22.9-vs2.3.0.26.1/net/ipv4/udp.c 2007-08-29 21:22:20 +0200 +++ linux-2.6.22.9-vs2.3.0.26.2/net/ipv4/udp.c 2007-10-05 12:11:14 +0200 @@ -252,7 +252,8 @@ static struct sock *__udp4_lib_lookup(__ score+=2; } else { /* block non nx_info ips */ - if (!v4_addr_in_nx_info(sk->sk_nx_info, daddr, -1)) + if (!v4_addr_in_nx_info(sk->sk_nx_info, + daddr, NXA_MASK_BIND)) continue; } if (inet->daddr) { diff -NurpP --minimal linux-2.6.22.9-vs2.3.0.26.1/net/ipv6/af_inet6.c linux-2.6.22.9-vs2.3.0.26.2/net/ipv6/af_inet6.c --- linux-2.6.22.9-vs2.3.0.26.1/net/ipv6/af_inet6.c 2007-09-05 03:06:12 +0200 +++ linux-2.6.22.9-vs2.3.0.26.2/net/ipv6/af_inet6.c 2007-10-05 12:11:36 +0200 @@ -294,7 +294,7 @@ int inet6_bind(struct socket *sock, stru err = -EADDRNOTAVAIL; goto out; } - if (!v4_addr_in_nx_info(sk->sk_nx_info, v4addr, -1)) { + if (!v4_addr_in_nx_info(sk->sk_nx_info, v4addr, NXA_MASK_BIND)) { err = -EADDRNOTAVAIL; goto out; }