Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f5646501 authored by Flavio Leitner's avatar Flavio Leitner Committed by David S. Miller
Browse files

netfilter: check if the socket netns is correct. 



Netfilter assumes that if the socket is present in the skb, then
it can be used because that reference is cleaned up while the skb
is crossing netns.

We want to change that to preserve the socket reference in a future
patch, so this is a preparation updating netfilter to check if the
socket netns matches before use it.

Signed-off-by: default avatarFlavio Leitner <fbl@redhat.com>
Acked-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 003504a2

include/net/netfilter/nf_log.h

+2 −1
Original line number Diff line number Diff line
@@ -106,7 +106,8 @@ int nf_log_dump_udp_header(struct nf_log_buf *m, const struct sk_buff *skb, 
int nf_log_dump_tcp_header(struct nf_log_buf *m, const struct sk_buff *skb,

			   u8 proto, int fragment, unsigned int offset,

			   unsigned int logflags);

void nf_log_dump_sk_uid_gid(struct nf_log_buf *m, struct sock *sk);

void nf_log_dump_sk_uid_gid(struct net *net, struct nf_log_buf *m,

			    struct sock *sk);

void nf_log_dump_packet_common(struct nf_log_buf *m, u_int8_t pf,

			       unsigned int hooknum, const struct sk_buff *skb,

			       const struct net_device *in,

net/ipv4/netfilter/nf_log_ipv4.c

+4 −4
Original line number Diff line number Diff line
@@ -35,7 +35,7 @@ static const struct nf_loginfo default_loginfo = { 
};



/* One level of recursion won't kill us */

static void dump_ipv4_packet(struct nf_log_buf *m,

static void dump_ipv4_packet(struct net *net, struct nf_log_buf *m,

			     const struct nf_loginfo *info,

			     const struct sk_buff *skb, unsigned int iphoff)

{
@@ -183,7 +183,7 @@ static void dump_ipv4_packet(struct nf_log_buf *m, 
			/* Max length: 3+maxlen */

			if (!iphoff) { /* Only recurse once. */

				nf_log_buf_add(m, "[");

				dump_ipv4_packet(m, info, skb,

				dump_ipv4_packet(net, m, info, skb,

					    iphoff + ih->ihl*4+sizeof(_icmph));

				nf_log_buf_add(m, "] ");

			}
@@ -251,7 +251,7 @@ static void dump_ipv4_packet(struct nf_log_buf *m, 


	/* Max length: 15 "UID=4294967295 " */

	if ((logflags & NF_LOG_UID) && !iphoff)

		nf_log_dump_sk_uid_gid(m, skb->sk);

		nf_log_dump_sk_uid_gid(net, m, skb->sk);



	/* Max length: 16 "MARK=0xFFFFFFFF " */

	if (!iphoff && skb->mark)
@@ -333,7 +333,7 @@ static void nf_log_ip_packet(struct net *net, u_int8_t pf, 
	if (in != NULL)

		dump_ipv4_mac_header(m, loginfo, skb);



	dump_ipv4_packet(m, loginfo, skb, 0);

	dump_ipv4_packet(net, m, loginfo, skb, 0);



	nf_log_buf_close(m);

}

net/ipv6/netfilter/nf_log_ipv6.c

+4 −4
Original line number Diff line number Diff line
@@ -36,7 +36,7 @@ static const struct nf_loginfo default_loginfo = { 
};



/* One level of recursion won't kill us */

static void dump_ipv6_packet(struct nf_log_buf *m,

static void dump_ipv6_packet(struct net *net, struct nf_log_buf *m,

			     const struct nf_loginfo *info,

			     const struct sk_buff *skb, unsigned int ip6hoff,

			     int recurse)
@@ -258,7 +258,7 @@ static void dump_ipv6_packet(struct nf_log_buf *m, 
			/* Max length: 3+maxlen */

			if (recurse) {

				nf_log_buf_add(m, "[");

				dump_ipv6_packet(m, info, skb,

				dump_ipv6_packet(net, m, info, skb,

						 ptr + sizeof(_icmp6h), 0);

				nf_log_buf_add(m, "] ");

			}
@@ -278,7 +278,7 @@ static void dump_ipv6_packet(struct nf_log_buf *m, 


	/* Max length: 15 "UID=4294967295 " */

	if ((logflags & NF_LOG_UID) && recurse)

		nf_log_dump_sk_uid_gid(m, skb->sk);

		nf_log_dump_sk_uid_gid(net, m, skb->sk);



	/* Max length: 16 "MARK=0xFFFFFFFF " */

	if (recurse && skb->mark)
@@ -365,7 +365,7 @@ static void nf_log_ip6_packet(struct net *net, u_int8_t pf, 
	if (in != NULL)

		dump_ipv6_mac_header(m, loginfo, skb);



	dump_ipv6_packet(m, loginfo, skb, skb_network_offset(skb), 1);

	dump_ipv6_packet(net, m, loginfo, skb, skb_network_offset(skb), 1);



	nf_log_buf_close(m);

}

net/netfilter/nf_conntrack_broadcast.c

+1 −1
Original line number Diff line number Diff line
@@ -32,7 +32,7 @@ int nf_conntrack_broadcast_help(struct sk_buff *skb, 
	__be32 mask = 0;



	/* we're only interested in locally generated packets */

	if (skb->sk == NULL)

	if (skb->sk == NULL || !net_eq(nf_ct_net(ct), sock_net(skb->sk)))

		goto out;

	if (rt == NULL || !(rt->rt_flags & RTCF_BROADCAST))

		goto out;

net/netfilter/nf_log_common.c

+3 −2
Original line number Diff line number Diff line
@@ -132,9 +132,10 @@ int nf_log_dump_tcp_header(struct nf_log_buf *m, const struct sk_buff *skb, 
}

EXPORT_SYMBOL_GPL(nf_log_dump_tcp_header);



void nf_log_dump_sk_uid_gid(struct nf_log_buf *m, struct sock *sk)

void nf_log_dump_sk_uid_gid(struct net *net, struct nf_log_buf *m,

			    struct sock *sk)

{

	if (!sk || !sk_fullsock(sk))

	if (!sk || !sk_fullsock(sk) || !net_eq(net, sock_net(sk)))

		return;



	read_lock_bh(&sk->sk_callback_lock);