Home Explore Help
Sign In
GfA
/
linux_kernel
5
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

netfilter: nftables: Only run the nftables chains in the proper netns

- Register the nftables chains in the network namespace that they need
  to run in.

- Remove the hacks that stopped chains running in the wrong network
  namespace.

Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Eric W. Biederman 10 years ago
parent
085db2c045
commit
fd2ecda034
2 changed files with 6 additions and 7 deletions
Unified View Show Diff Stats
  1. 6 2
      net/netfilter/nf_tables_api.c
  2. 0 5
      net/netfilter/nf_tables_core.c

+ 6 - 2
net/netfilter/nf_tables_api.c
View File 

@@ -130,20 +130,24 @@ static void nft_trans_destroy(struct nft_trans *trans)
 
 int nft_register_basechain(struct nft_base_chain *basechain,
 
 int nft_register_basechain(struct nft_base_chain *basechain,
 
 			   unsigned int hook_nops)
 
 			   unsigned int hook_nops)
 
 {
 
 {
 
+	struct net *net = read_pnet(&basechain->pnet);
 
+
 
 	if (basechain->flags & NFT_BASECHAIN_DISABLED)
 
 	if (basechain->flags & NFT_BASECHAIN_DISABLED)
 
 		return 0;
 
 		return 0;
 
 
 
-	return nf_register_hooks(basechain->ops, hook_nops);
 
+	return nf_register_net_hooks(net, basechain->ops, hook_nops);
 
 }
 
 }
 
 EXPORT_SYMBOL_GPL(nft_register_basechain);
 
 EXPORT_SYMBOL_GPL(nft_register_basechain);
 
 
 
 void nft_unregister_basechain(struct nft_base_chain *basechain,
 
 void nft_unregister_basechain(struct nft_base_chain *basechain,
 
 			      unsigned int hook_nops)
 
 			      unsigned int hook_nops)
 
 {
 
 {
 
+	struct net *net = read_pnet(&basechain->pnet);
 
+
 
 	if (basechain->flags & NFT_BASECHAIN_DISABLED)
 
 	if (basechain->flags & NFT_BASECHAIN_DISABLED)
 
 		return;
 
 		return;
 
 
 
-	nf_unregister_hooks(basechain->ops, hook_nops);
 
+	nf_unregister_net_hooks(net, basechain->ops, hook_nops);
 
 }
 
 }
 
 EXPORT_SYMBOL_GPL(nft_unregister_basechain);
 
 EXPORT_SYMBOL_GPL(nft_unregister_basechain);

+ 0 - 5
net/netfilter/nf_tables_core.c
View File 

@@ -114,7 +114,6 @@ unsigned int
 
 nft_do_chain(struct nft_pktinfo *pkt, const struct nf_hook_ops *ops)
 
 nft_do_chain(struct nft_pktinfo *pkt, const struct nf_hook_ops *ops)
 
 {
 
 {
 
 	const struct nft_chain *chain = ops->priv, *basechain = chain;
 
 	const struct nft_chain *chain = ops->priv, *basechain = chain;
 
-	const struct net *chain_net = read_pnet(&nft_base_chain(basechain)->pnet);
 
 	const struct net *net = dev_net(pkt->in ? pkt->in : pkt->out);
 
 	const struct net *net = dev_net(pkt->in ? pkt->in : pkt->out);
 
 	const struct nft_rule *rule;
 
 	const struct nft_rule *rule;
 
 	const struct nft_expr *expr, *last;
 
 	const struct nft_expr *expr, *last;
 
@@ -125,10 +124,6 @@ nft_do_chain(struct nft_pktinfo *pkt, const struct nf_hook_ops *ops)
 
 	int rulenum;
 
 	int rulenum;
 
 	unsigned int gencursor = nft_genmask_cur(net);
 
 	unsigned int gencursor = nft_genmask_cur(net);
 
 
 
-	/* Ignore chains that are not for the current network namespace */
 
-	if (!net_eq(net, chain_net))
 
-		return NF_ACCEPT;
 
-
 
 do_chain:
 
 do_chain:
 
 	rulenum = 0;
 
 	rulenum = 0;
 
 	rule = list_entry(&chain->rules, struct nft_rule, list);
 
 	rule = list_entry(&chain->rules, struct nft_rule, list);