1 diff -NurpP --exclude '*.orig' --exclude '*.rej' linux-2.6.27.10-vs2.3.x-PS-522/include/linux/vserver/network.h linux-2.6.27.10-vs2.3.x-PS-522-523/include/linux/vserver/network.h
2 --- linux-2.6.27.10-vs2.3.x-PS-522/include/linux/vserver/network.h 2008-10-13 14:54:20.000000000 +0200
3 +++ linux-2.6.27.10-vs2.3.x-PS-522-523/include/linux/vserver/network.h 2009-01-21 03:22:02.000000000 +0100
4 @@ -47,6 +47,8 @@ static inline uint64_t __nxf_init_set(vo
5 #define NXC_TUN_CREATE 0x00000001
7 #define NXC_RAW_ICMP 0x00000100
8 +#define NXC_RAW_SOCKET 0x00000200
9 +#define NXC_RAW_SEND 0x00000400
13 diff -NurpP --exclude '*.orig' --exclude '*.rej' linux-2.6.27.10-vs2.3.x-PS-522/net/core/sock.c linux-2.6.27.10-vs2.3.x-PS-522-523/net/core/sock.c
14 --- linux-2.6.27.10-vs2.3.x-PS-522/net/core/sock.c 2008-10-13 14:54:20.000000000 +0200
15 +++ linux-2.6.27.10-vs2.3.x-PS-522-523/net/core/sock.c 2009-01-21 03:27:01.000000000 +0100
16 @@ -381,7 +381,7 @@ static int sock_bindtodevice(struct sock
20 - if (!capable(CAP_NET_RAW))
21 + if (!nx_capable(CAP_NET_RAW, NXC_RAW_SOCKET))
25 @@ -515,6 +515,19 @@ set_sndbuf:
30 + if (current_vx_info()) {
34 + if (val < 0 || val > MAX_S_CONTEXT) {
43 /* Don't error on this BSD doesn't and if you think
44 about it this is right. Otherwise apps have to
45 diff -NurpP --exclude '*.orig' --exclude '*.rej' linux-2.6.27.10-vs2.3.x-PS-522/net/ipv4/af_inet.c linux-2.6.27.10-vs2.3.x-PS-522-523/net/ipv4/af_inet.c
46 --- linux-2.6.27.10-vs2.3.x-PS-522/net/ipv4/af_inet.c 2009-01-21 03:12:46.000000000 +0100
47 +++ linux-2.6.27.10-vs2.3.x-PS-522-523/net/ipv4/af_inet.c 2009-01-21 03:22:02.000000000 +0100
48 @@ -331,6 +331,9 @@ lookup_protocol:
49 if ((protocol == IPPROTO_ICMP) &&
50 nx_capable(answer->capability, NXC_RAW_ICMP))
52 + if (sock->type == SOCK_RAW &&
53 + nx_capable(answer->capability, NXC_RAW_SOCKET))
55 if (answer->capability > 0 && !capable(answer->capability))
58 diff -NurpP --exclude '*.orig' --exclude '*.rej' linux-2.6.27.10-vs2.3.x-PS-522/net/ipv4/ip_options.c linux-2.6.27.10-vs2.3.x-PS-522-523/net/ipv4/ip_options.c
59 --- linux-2.6.27.10-vs2.3.x-PS-522/net/ipv4/ip_options.c 2008-10-13 14:52:09.000000000 +0200
60 +++ linux-2.6.27.10-vs2.3.x-PS-522-523/net/ipv4/ip_options.c 2009-01-21 03:22:02.000000000 +0100
61 @@ -397,7 +397,7 @@ int ip_options_compile(struct net *net,
65 - if (!skb && !capable(CAP_NET_RAW)) {
66 + if (!skb && !nx_capable(CAP_NET_RAW, NXC_RAW_SOCKET)) {
70 @@ -433,7 +433,7 @@ int ip_options_compile(struct net *net,
71 opt->router_alert = optptr - iph;
74 - if ((!skb && !capable(CAP_NET_RAW)) || opt->cipso) {
75 + if ((!skb && !nx_capable(CAP_NET_RAW, NXC_RAW_SOCKET)) || opt->cipso) {
79 @@ -446,7 +446,7 @@ int ip_options_compile(struct net *net,
83 - if (!skb && !capable(CAP_NET_RAW)) {
84 + if (!skb && !nx_capable(CAP_NET_RAW, NXC_RAW_SOCKET)) {
88 diff -NurpP --exclude '*.orig' --exclude '*.rej' linux-2.6.27.10-vs2.3.x-PS-522/net/ipv4/raw.c linux-2.6.27.10-vs2.3.x-PS-522-523/net/ipv4/raw.c
89 --- linux-2.6.27.10-vs2.3.x-PS-522/net/ipv4/raw.c 2008-10-13 14:54:20.000000000 +0200
90 +++ linux-2.6.27.10-vs2.3.x-PS-522-523/net/ipv4/raw.c 2009-01-21 03:26:02.000000000 +0100
91 @@ -108,7 +108,7 @@ void raw_unhash_sk(struct sock *sk)
92 EXPORT_SYMBOL_GPL(raw_unhash_sk);
94 static struct sock *__raw_v4_lookup(struct net *net, struct sock *sk,
95 - unsigned short num, __be32 raddr, __be32 laddr, int dif)
96 + unsigned short num, __be32 raddr, __be32 laddr, int dif, int tag)
98 struct hlist_node *node;
100 @@ -117,6 +117,7 @@ static struct sock *__raw_v4_lookup(stru
102 if (net_eq(sock_net(sk), net) && inet->num == num &&
103 !(inet->daddr && inet->daddr != raddr) &&
104 + (!sk->sk_nx_info || tag == 1 || sk->sk_nid == tag) &&
105 v4_sock_addr_match(sk->sk_nx_info, inet, laddr) &&
106 !(sk->sk_bound_dev_if && sk->sk_bound_dev_if != dif))
107 goto found; /* gotcha */
108 @@ -169,7 +170,7 @@ static int raw_v4_input(struct sk_buff *
109 net = dev_net(skb->dev);
110 sk = __raw_v4_lookup(net, __sk_head(head), iph->protocol,
111 iph->saddr, iph->daddr,
112 - skb->dev->ifindex);
113 + skb->dev->ifindex, skb->skb_tag);
117 @@ -182,7 +183,7 @@ static int raw_v4_input(struct sk_buff *
119 sk = __raw_v4_lookup(net, sk_next(sk), iph->protocol,
120 iph->saddr, iph->daddr,
121 - skb->dev->ifindex);
122 + skb->dev->ifindex, skb->skb_tag);
125 read_unlock(&raw_v4_hashinfo.lock);
126 @@ -277,8 +278,8 @@ void raw_icmp_error(struct sk_buff *skb,
127 net = dev_net(skb->dev);
129 while ((raw_sk = __raw_v4_lookup(net, raw_sk, protocol,
130 - iph->daddr, iph->saddr,
131 - skb->dev->ifindex)) != NULL) {
132 + iph->daddr, iph->saddr, skb->dev->ifindex,
133 + skb->skb_tag)) != NULL) {
134 raw_err(raw_sk, skb, info);
135 raw_sk = sk_next(raw_sk);
136 iph = (struct iphdr *)skb->data;
137 @@ -373,7 +374,7 @@ static int raw_send_hdrinc(struct sock *
138 skb_transport_header(skb))->type);
141 - if (!nx_check(0, VS_ADMIN) && !capable(CAP_NET_RAW) &&
142 + if (!nx_check(0, VS_ADMIN) && !nx_capable(CAP_NET_RAW, NXC_RAW_SOCKET) &&
144 !v4_addr_in_nx_info(sk->sk_nx_info, iph->saddr, NXA_MASK_BIND))