mirror of https://gitee.com/openkylin/linux.git
netfilter: nftables: Only run the nftables chains in the proper netns
- Register the nftables chains in the network namespace that they need to run in. - Remove the hacks that stopped chains running in the wrong network namespace. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
parent
085db2c045
commit
fd2ecda034
|
@ -130,20 +130,24 @@ static void nft_trans_destroy(struct nft_trans *trans)
|
|||
int nft_register_basechain(struct nft_base_chain *basechain,
|
||||
unsigned int hook_nops)
|
||||
{
|
||||
struct net *net = read_pnet(&basechain->pnet);
|
||||
|
||||
if (basechain->flags & NFT_BASECHAIN_DISABLED)
|
||||
return 0;
|
||||
|
||||
return nf_register_hooks(basechain->ops, hook_nops);
|
||||
return nf_register_net_hooks(net, basechain->ops, hook_nops);
|
||||
}
|
||||
EXPORT_SYMBOL_GPL(nft_register_basechain);
|
||||
|
||||
void nft_unregister_basechain(struct nft_base_chain *basechain,
|
||||
unsigned int hook_nops)
|
||||
{
|
||||
struct net *net = read_pnet(&basechain->pnet);
|
||||
|
||||
if (basechain->flags & NFT_BASECHAIN_DISABLED)
|
||||
return;
|
||||
|
||||
nf_unregister_hooks(basechain->ops, hook_nops);
|
||||
nf_unregister_net_hooks(net, basechain->ops, hook_nops);
|
||||
}
|
||||
EXPORT_SYMBOL_GPL(nft_unregister_basechain);
|
||||
|
||||
|
|
|
@ -114,7 +114,6 @@ unsigned int
|
|||
nft_do_chain(struct nft_pktinfo *pkt, const struct nf_hook_ops *ops)
|
||||
{
|
||||
const struct nft_chain *chain = ops->priv, *basechain = chain;
|
||||
const struct net *chain_net = read_pnet(&nft_base_chain(basechain)->pnet);
|
||||
const struct net *net = dev_net(pkt->in ? pkt->in : pkt->out);
|
||||
const struct nft_rule *rule;
|
||||
const struct nft_expr *expr, *last;
|
||||
|
@ -125,10 +124,6 @@ nft_do_chain(struct nft_pktinfo *pkt, const struct nf_hook_ops *ops)
|
|||
int rulenum;
|
||||
unsigned int gencursor = nft_genmask_cur(net);
|
||||
|
||||
/* Ignore chains that are not for the current network namespace */
|
||||
if (!net_eq(net, chain_net))
|
||||
return NF_ACCEPT;
|
||||
|
||||
do_chain:
|
||||
rulenum = 0;
|
||||
rule = list_entry(&chain->rules, struct nft_rule, list);
|
||||
|
|
Loading…
Reference in New Issue