summaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorDenis V. Lunev <den@openvz.org>2008-03-24 23:33:00 +0100
committerDavid S. Miller <davem@davemloft.net>2008-03-24 23:33:00 +0100
commitf145049a06f470d0489f47cb83ff3ccb2a0de622 (patch)
tree2d25f9af4c1e599763f01f9338ed8bf0517ddac1 /net
parent[NETNS]: Process netfilter hooks in initial namespace only. (diff)
downloadlinux-f145049a06f470d0489f47cb83ff3ccb2a0de622.tar.xz
linux-f145049a06f470d0489f47cb83ff3ccb2a0de622.zip
[NETNS]: Drop packets in the non-initial namespace on the per/protocol basis.
IP layer now can handle multiple namespaces normally. So, process such packets normally and drop them only if the transport layer is not aware about namespaces. Signed-off-by: Denis V. Lunev <den@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r--net/ipv4/ip_input.c8
1 files changed, 4 insertions, 4 deletions
diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c
index eb1fa27dc0c4..2aeea5d15425 100644
--- a/net/ipv4/ip_input.c
+++ b/net/ipv4/ip_input.c
@@ -199,6 +199,8 @@ int ip_call_ra_chain(struct sk_buff *skb)
static int ip_local_deliver_finish(struct sk_buff *skb)
{
+ struct net *net = skb->dev->nd_net;
+
__skb_pull(skb, ip_hdrlen(skb));
/* Point into the IP datagram, just past the header. */
@@ -214,7 +216,8 @@ static int ip_local_deliver_finish(struct sk_buff *skb)
raw = raw_local_deliver(skb, protocol);
hash = protocol & (MAX_INET_PROTOS - 1);
- if ((ipprot = rcu_dereference(inet_protos[hash])) != NULL) {
+ ipprot = rcu_dereference(inet_protos[hash]);
+ if (ipprot != NULL && (net == &init_net || ipprot->netns_ok)) {
int ret;
if (!ipprot->no_policy) {
@@ -375,9 +378,6 @@ int ip_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt,
struct iphdr *iph;
u32 len;
- if (dev->nd_net != &init_net)
- goto drop;
-
/* When the interface is in promisc. mode, drop all the crap
* that it receives, do not try to analyse it.
*/