From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Gao feng <gaofeng@cn.fujitsu.com>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH nf-next v2 04/10] netfilter: xt_LOG: add net namespace support for xt_LOG
Date: Fri, 5 Apr 2013 20:33:40 +0200 [thread overview]
Message-ID: <20130405183340.GD4853@localhost> (raw)
In-Reply-To: <1364205048-32632-4-git-send-email-gaofeng@cn.fujitsu.com>
On Mon, Mar 25, 2013 at 05:50:42PM +0800, Gao feng wrote:
> Add pernet_operations for xt_LOG, in pernet_ops,
> we call nf_log_set/unset to set/unset nf_loggers
> of per net.
>
> Because the syslog ns has not been implemented,
> we don't want the container DDOS the host's syslog.
> so only enable ebt_log in init_net and wait for
> syslog ns.
Applied with change.
> Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
> ---
> net/netfilter/xt_LOG.c | 41 ++++++++++++++++++++++++++++++++++++++---
> 1 file changed, 38 insertions(+), 3 deletions(-)
>
> diff --git a/net/netfilter/xt_LOG.c b/net/netfilter/xt_LOG.c
> index fa40096..d396600 100644
> --- a/net/netfilter/xt_LOG.c
> +++ b/net/netfilter/xt_LOG.c
> @@ -474,7 +474,13 @@ ipt_log_packet(u_int8_t pf,
> const struct nf_loginfo *loginfo,
> const char *prefix)
> {
> - struct sbuff *m = sb_open();
> + struct sbuff *m;
> + struct net *net = dev_net(in ? in : out);
> +
> + if (!net_eq(net, &init_net))
> + return;
> +
> + m = sb_open();
>
> if (!loginfo)
> loginfo = &default_loginfo;
> @@ -798,7 +804,13 @@ ip6t_log_packet(u_int8_t pf,
> const struct nf_loginfo *loginfo,
> const char *prefix)
> {
> - struct sbuff *m = sb_open();
> + struct sbuff *m;
> + struct net *net = dev_net(in ? in : out);
> +
Added comment here, as in ebt_log.
> + if (!net_eq(net, &init_net))
> + return;
> +
> + m = sb_open();
>
> if (!loginfo)
> loginfo = &default_loginfo;
> @@ -893,6 +905,28 @@ static struct nf_logger ip6t_log_logger __read_mostly = {
> };
> #endif
>
> +static int __net_init log_net_init(struct net *net)
> +{
> + nf_log_set(net, NFPROTO_IPV4, &ipt_log_logger);
> +#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
> + nf_log_set(net, NFPROTO_IPV6, &ip6t_log_logger);
> +#endif
> + return 0;
> +}
> +
> +static void __net_exit log_net_exit(struct net *net)
> +{
> + nf_log_unset(net, &ipt_log_logger);
> +#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
> + nf_log_unset(net, &ip6t_log_logger);
> +#endif
> +}
> +
> +static struct pernet_operations log_net_ops = {
> + .init = log_net_init,
> + .exit = log_net_exit,
> +};
> +
> static int __init log_tg_init(void)
> {
> int ret;
> @@ -905,11 +939,12 @@ static int __init log_tg_init(void)
> #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
> nf_log_register(NFPROTO_IPV6, &ip6t_log_logger);
> #endif
> - return 0;
> + return register_pernet_subsys(&log_net_ops);
You have to unroll if this fails.
> }
>
> static void __exit log_tg_exit(void)
> {
> + unregister_pernet_subsys(&log_net_ops);
> nf_log_unregister(&ipt_log_logger);
> #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
> nf_log_unregister(&ip6t_log_logger);
> --
> 1.7.11.7
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2013-04-05 18:33 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-03-25 9:50 [PATCH nf-next v2 01/10] netfilter: make /proc/net/netfilter pernet Gao feng
2013-03-25 9:50 ` [PATCH nf-next v2 02/10] netfilter: nf_log: prepar net namespace support for nf_log Gao feng
2013-04-05 18:30 ` Pablo Neira Ayuso
2013-04-08 2:46 ` Gao feng
2013-03-25 9:50 ` [PATCH nf-next v2 03/10] netfilter: ebt_log: add net namespace support for ebt_log Gao feng
2013-04-05 18:32 ` Pablo Neira Ayuso
2013-04-08 2:50 ` Gao feng
2013-03-25 9:50 ` [PATCH nf-next v2 04/10] netfilter: xt_LOG: add net namespace support for xt_LOG Gao feng
2013-04-05 18:33 ` Pablo Neira Ayuso [this message]
2013-04-08 2:50 ` Gao feng
2013-03-25 9:50 ` [PATCH nf-next v2 05/10] netfilter: ebt_ulog: add net namesapce support for ebt_ulog Gao feng
2013-04-05 18:34 ` Pablo Neira Ayuso
2013-03-25 9:50 ` [PATCH nf-next v2 06/10] netfilter: ipt_ulog: add net namespace support for ipt_ulog Gao feng
2013-04-05 18:35 ` Pablo Neira Ayuso
2013-03-25 9:50 ` [PATCH nf-next v2 07/10] netfilter: nfnetlink_log: add net namespace support for nfnetlink_log Gao feng
2013-04-05 18:38 ` Pablo Neira Ayuso
2013-03-25 9:50 ` [PATCH nf-next v2 08/10] netfilter: nf_log: enable nflog in un-init net namespace Gao feng
2013-04-05 18:38 ` Pablo Neira Ayuso
2013-03-25 9:50 ` [PATCH nf-next v2 09/10] netfilter: nfnetlink_queue: add net namespace support for nfnetlink_queue Gao feng
2013-04-05 18:40 ` Pablo Neira Ayuso
2013-03-25 9:50 ` [PATCH nf-next v2 10/10] netfilter: remove useless variable proc_net_netfilter Gao feng
2013-04-05 18:45 ` Pablo Neira Ayuso
2013-04-08 2:56 ` Gao feng
2013-04-05 17:44 ` [PATCH nf-next v2 01/10] netfilter: make /proc/net/netfilter pernet Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130405183340.GD4853@localhost \
--to=pablo@netfilter.org \
--cc=gaofeng@cn.fujitsu.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.