lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 8 Sep 2008 07:03:10 +0400 From: Alexey Dobriyan <adobriyan@...il.com> To: kaber@...sh.net Cc: netdev@...r.kernel.org, netfilter-devel@...r.kernel.org, containers@...ts.linux-foundation.org Subject: [PATCH 33/33] Enable netfilter in netns >From kernel perspective, allow entrance in nf_hook_slow(). Stuff which uses nf_register_hook/nf_register_hooks, but otherwise not netns-ready: DECnet netfilter ipt_CLUSTERIP nf_nat_standalone.c together with XFRM (?) IPVS several individual match modules (like hashlimit) ctnetlink NOTRACK all sorts of queueing and reporting to userspace L3 and L4 protocol sysctls, bridge sysctls probably something else Anyway critical mass has been achieved, there is no reason to hide netfilter any longer. >From userspace perspective, allow to manipulate all sorts of iptables/ip6tables/arptables rules. Signed-off-by: Alexey Dobriyan <adobriyan@...il.com> diff --git a/net/netfilter/core.c b/net/netfilter/core.c index b16cd79..a90ac83 100644 --- a/net/netfilter/core.c +++ b/net/netfilter/core.c @@ -165,14 +165,6 @@ int nf_hook_slow(u_int8_t pf, unsigned int hook, struct sk_buff *skb, unsigned int verdict; int ret = 0; -#ifdef CONFIG_NET_NS - struct net *net; - - net = indev == NULL ? dev_net(outdev) : dev_net(indev); - if (net != &init_net) - return 1; -#endif - /* We may already have this, but read-locks nest anyway */ rcu_read_lock(); diff --git a/net/netfilter/nf_sockopt.c b/net/netfilter/nf_sockopt.c index f9b46de..8ab829f 100644 --- a/net/netfilter/nf_sockopt.c +++ b/net/netfilter/nf_sockopt.c @@ -65,9 +65,6 @@ static struct nf_sockopt_ops *nf_sockopt_find(struct sock *sk, u_int8_t pf, { struct nf_sockopt_ops *ops; - if (!net_eq(sock_net(sk), &init_net)) - return ERR_PTR(-ENOPROTOOPT); - if (mutex_lock_interruptible(&nf_sockopt_mutex) != 0) return ERR_PTR(-EINTR); -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists