From: ebiederm@xmission.com (Eric W. Biederman)
To: David Miller <davem@davemloft.net>
Cc: <netdev@vger.kernel.org>, Linux Containers <containers@lists.osdl.org>
Subject: [PATCH 17/16] net: Disable netfilter sockopts when not in the initial network namespace
Date: Sat, 08 Sep 2007 15:47:12 -0600 [thread overview]
Message-ID: <m1ps0su8wv.fsf_-_@ebiederm.dsl.xmission.com> (raw)
In-Reply-To: <m1tzq4u92n.fsf_-_@ebiederm.dsl.xmission.com> (Eric W. Biederman's message of "Sat, 08 Sep 2007 15:43:44 -0600")
Until we support multiple network namespaces with netfilter only allow
netfilter configuration in the initial network namespace.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
---
Ooops I overlooked this one on my first path through when gathering up this
patchset.
net/netfilter/nf_sockopt.c | 7 +++++++
1 files changed, 7 insertions(+), 0 deletions(-)
diff --git a/net/netfilter/nf_sockopt.c b/net/netfilter/nf_sockopt.c
index 8b8ece7..c12ea9b 100644
--- a/net/netfilter/nf_sockopt.c
+++ b/net/netfilter/nf_sockopt.c
@@ -80,6 +80,9 @@ static int nf_sockopt(struct sock *sk, int pf, int val,
struct nf_sockopt_ops *ops;
int ret;
+ if (sk->sk_net != &init_net)
+ return -ENOPROTOOPT;
+
if (mutex_lock_interruptible(&nf_sockopt_mutex) != 0)
return -EINTR;
@@ -138,6 +141,10 @@ static int compat_nf_sockopt(struct sock *sk, int pf, int val,
struct nf_sockopt_ops *ops;
int ret;
+ if (sk->sk_net != &init_net)
+ return -ENOPROTOOPT;
+
+
if (mutex_lock_interruptible(&nf_sockopt_mutex) != 0)
return -EINTR;
--
1.5.3.rc6.17.g1911
next prev parent reply other threads:[~2007-09-08 21:48 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-09-08 21:07 [PATCH 00/16] core network namespace support Eric W. Biederman
2007-09-08 21:09 ` [PATCH 01/16] appletalk: In notifier handlers convert the void pointer to a netdevice Eric W. Biederman
2007-09-08 21:13 ` [PATCH 02/16] net: Don't implement dev_ifname32 inline Eric W. Biederman
2007-09-08 21:15 ` [PATCH 03/16] net: Basic network namespace infrastructure Eric W. Biederman
2007-09-08 21:17 ` [PATCH 04/16] net: Add a network namespace parameter to tasks Eric W. Biederman
2007-09-08 21:18 ` [PATCH 05/16] net: Add a network namespace tag to struct net_device Eric W. Biederman
2007-09-08 21:20 ` [PATCH 07/16] net: Make /proc/net per network namespace Eric W. Biederman
2007-09-08 21:23 ` [PATCH 08/16] net: Make socket creation namespace safe Eric W. Biederman
2007-09-08 21:24 ` [PATCH 09/16] net: Initialize the network namespace of network devices Eric W. Biederman
2007-09-08 21:25 ` [PATCH 10/16] net: Make packet reception network namespace safe Eric W. Biederman
2007-09-08 21:27 ` [PATCH 11/16] net: Make device event notification " Eric W. Biederman
2007-09-08 21:28 ` [PATCH 12/16] net: Support multiple network namespaces with netlink Eric W. Biederman
2007-09-08 21:35 ` [PATCH 13/16] net: Make the device list and device lookups per namespace Eric W. Biederman
2007-09-08 21:36 ` [PATCH 14/16] net: Factor out __dev_alloc_name from dev_alloc_name Eric W. Biederman
2007-09-08 21:38 ` [PATCH 15/16] net: Implement network device movement between namespaces Eric W. Biederman
2007-09-08 21:43 ` [PATCH 16/16] net: netlink support for moving devices between network namespaces Eric W. Biederman
2007-09-08 21:47 ` Eric W. Biederman [this message]
2007-09-10 13:50 ` [PATCH 17/16] net: Disable netfilter sockopts when not in the initial network namespace Pavel Emelyanov
[not found] ` <46E54B96.8060105-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org>
2007-09-10 15:27 ` Eric W. Biederman
2007-09-12 11:59 ` David Miller
2007-09-12 12:03 ` David Miller
2007-09-12 12:16 ` Eric W. Biederman
[not found] ` <m1tzq4u92n.fsf_-_-T1Yj925okcoyDheHMi7gv2pdwda3JcWeAL8bYrjMMd8@public.gmane.org>
2007-09-10 19:07 ` [PATCH 16/16] net: netlink support for moving devices between network namespaces Serge E. Hallyn
2007-09-10 19:30 ` Eric W. Biederman
2007-09-11 0:54 ` Serge E. Hallyn
2007-09-12 11:57 ` David Miller
2007-09-12 11:54 ` [PATCH 15/16] net: Implement network device movement between namespaces David Miller
2007-09-12 11:49 ` [PATCH 14/16] net: Factor out __dev_alloc_name from dev_alloc_name David Miller
2007-09-12 11:39 ` [PATCH 13/16] net: Make the device list and device lookups per namespace David Miller
[not found] ` <m1bqccvock.fsf_-_-T1Yj925okcoyDheHMi7gv2pdwda3JcWeAL8bYrjMMd8@public.gmane.org>
2007-09-10 13:46 ` [PATCH 12/16] net: Support multiple network namespaces with netlink Pavel Emelyanov
2007-09-10 15:24 ` Eric W. Biederman
2007-09-12 11:06 ` David Miller
2007-09-12 11:02 ` [PATCH 11/16] net: Make device event notification network namespace safe David Miller
2007-09-12 11:00 ` [PATCH 10/16] net: Make packet reception " David Miller
2007-09-12 10:58 ` [PATCH 09/16] net: Initialize the network namespace of network devices David Miller
2007-09-12 10:04 ` [PATCH 08/16] net: Make socket creation namespace safe David Miller
2007-09-12 10:02 ` [PATCH 07/16] net: Make /proc/net per network namespace David Miller
2007-09-12 12:12 ` Daniel Lezcano
2007-09-12 12:19 ` David Miller
2007-09-08 21:21 ` [PATCH 06/16] net: Add a network namespace parameter to struct sock Eric W. Biederman
2007-09-12 9:58 ` David Miller
2007-09-12 9:57 ` [PATCH 05/16] net: Add a network namespace tag to struct net_device David Miller
2007-09-12 9:55 ` [PATCH 04/16] net: Add a network namespace parameter to tasks David Miller
2007-09-09 8:44 ` [PATCH 03/16] net: Basic network namespace infrastructure Eric Dumazet
[not found] ` <46E3B281.4030105-fPLkHRcR87vqlBn2x/YWAg@public.gmane.org>
2007-09-09 10:18 ` Eric W. Biederman
2007-09-10 5:46 ` Krishna Kumar2
[not found] ` <OF55551EA4.A3E6920C-ON65257352.001D6A3E-65257352.001FBEA7-xthvdsQ13ZrQT0dZR+AlfA@public.gmane.org>
2007-09-10 6:40 ` Eric W. Biederman
[not found] ` <m1ejh8x3ih.fsf_-_-T1Yj925okcoyDheHMi7gv2pdwda3JcWeAL8bYrjMMd8@public.gmane.org>
2007-09-09 0:33 ` Paul E. McKenney
2007-09-09 10:04 ` Eric W. Biederman
[not found] ` <m1fy1otarm.fsf-T1Yj925okcoyDheHMi7gv2pdwda3JcWeAL8bYrjMMd8@public.gmane.org>
2007-09-09 16:45 ` Paul E. McKenney
2007-09-10 6:32 ` Eric W. Biederman
2007-09-10 13:16 ` Pavel Emelyanov
[not found] ` <46E543A0.7010104-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org>
2007-09-10 15:53 ` Eric W. Biederman
2007-09-12 9:52 ` David Miller
2007-09-12 9:39 ` [PATCH 02/16] net: Don't implement dev_ifname32 inline David Miller
2007-09-12 9:27 ` [PATCH 01/16] appletalk: In notifier handlers convert the void pointer to a netdevice David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m1ps0su8wv.fsf_-_@ebiederm.dsl.xmission.com \
--to=ebiederm@xmission.com \
--cc=containers@lists.osdl.org \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).