Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f145049a authored by Denis V. Lunev's avatar Denis V. Lunev Committed by David S. Miller
Browse files

[NETNS]: Drop packets in the non-initial namespace on the per/protocol basis. 



IP layer now can handle multiple namespaces normally. So, process such
packets normally and drop them only if the transport layer is not
aware about namespaces.

Signed-off-by: default avatarDenis V. Lunev <den@openvz.org>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 0be43f82

include/net/protocol.h

+2 −1
Original line number Diff line number Diff line
@@ -39,7 +39,8 @@ struct net_protocol { 
	int			(*gso_send_check)(struct sk_buff *skb);

	struct sk_buff	       *(*gso_segment)(struct sk_buff *skb,

					       int features);

	int			no_policy;

	unsigned int		no_policy:1,

				netns_ok:1;

};



#if defined(CONFIG_IPV6) || defined (CONFIG_IPV6_MODULE)

net/ipv4/ip_input.c

+4 −4
Original line number Diff line number Diff line
@@ -199,6 +199,8 @@ int ip_call_ra_chain(struct sk_buff *skb) 


static int ip_local_deliver_finish(struct sk_buff *skb)

{

	struct net *net = skb->dev->nd_net;



	__skb_pull(skb, ip_hdrlen(skb));



	/* Point into the IP datagram, just past the header. */
@@ -214,7 +216,8 @@ static int ip_local_deliver_finish(struct sk_buff *skb) 
		raw = raw_local_deliver(skb, protocol);



		hash = protocol & (MAX_INET_PROTOS - 1);

		if ((ipprot = rcu_dereference(inet_protos[hash])) != NULL) {

		ipprot = rcu_dereference(inet_protos[hash]);

		if (ipprot != NULL && (net == &init_net || ipprot->netns_ok)) {

			int ret;



			if (!ipprot->no_policy) {
@@ -375,9 +378,6 @@ int ip_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt, 
	struct iphdr *iph;

	u32 len;



	if (dev->nd_net != &init_net)

		goto drop;



	/* When the interface is in promisc. mode, drop all the crap

	 * that it receives, do not try to analyse it.

	 */