Message ID | 20150610152855.GA3406@acer.localdomain |
---|---|
State | RFC |
Delegated to: | Pablo Neira |
Headers | show |
On Wed, Jun 10, 2015 at 5:28 PM, Patrick McHardy <kaber@trash.net> wrote: [...] > If my understanding of the problem is correct, this (totally untested) > patch should prevent the problem until we have a proper fix. Yes is does prevent the execution of the chains from the wrong netns. Some targets are still broken when used in a netns, for example queue rules instantiated in a netns will not work at all. Andreas > > diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c > index f153b07..62e371a 100644 > --- a/net/netfilter/nf_tables_core.c > +++ b/net/netfilter/nf_tables_core.c > @@ -124,6 +124,12 @@ nft_do_chain(struct nft_pktinfo *pkt, const struct nf_hook_ops *ops) > int rulenum; > unsigned int gencursor = nft_genmask_cur(net); > > + /* Workaround for processing in incorrect namespace until we have > + * per net hooks. > + */ > + if (read_pnet(&(pkt->in ? : pkt->out)->nd_net) != net) > + return NF_ACCEPT; > + > do_chain: > rulenum = 0; > rule = list_entry(&chain->rules, struct nft_rule, list); -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c index f153b07..62e371a 100644 --- a/net/netfilter/nf_tables_core.c +++ b/net/netfilter/nf_tables_core.c @@ -124,6 +124,12 @@ nft_do_chain(struct nft_pktinfo *pkt, const struct nf_hook_ops *ops) int rulenum; unsigned int gencursor = nft_genmask_cur(net); + /* Workaround for processing in incorrect namespace until we have + * per net hooks. + */ + if (read_pnet(&(pkt->in ? : pkt->out)->nd_net) != net) + return NF_ACCEPT; + do_chain: rulenum = 0; rule = list_entry(&chain->rules, struct nft_rule, list);