netfilter: conntrack: check netns when walking expect hash

Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Florian Westphal <fw@strlen.de> 2016-05-05 18:51:47 -0400
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2016-05-06 05:50:01 -0400
commit: 03d7dc5cdfe6fd4e5bd04cfc2be7ae259f956428 (patch)
tree: 154c3f3f33680d9294dd10c50eb5217f2ace6887
parent: cb39ad8b8ef224c544074962780bf763077d6141 (diff)
3 files changed, 30 insertions, 4 deletions
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
index f8fc7ab201c9..2b4c729fcf8d 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
@@ -301,6 +301,9 @@ static int exp_seq_show(struct seq_file *s, void *v)
        exp = hlist_entry(n, struct nf_conntrack_expect, hnode);
+        if (!net_eq(nf_ct_net(exp->master), seq_file_net(s)))
+                return 0;
        if (exp->tuple.src.l3num != AF_INET)
                return 0;
diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c
index c2f7c4f475b1..da95d740e60b 100644
--- a/net/netfilter/nf_conntrack_expect.c
+++ b/net/netfilter/nf_conntrack_expect.c
@@ -86,6 +86,17 @@ static unsigned int nf_ct_expect_dst_hash(const struct nf_conntrack_tuple *tuple
        return reciprocal_scale(hash, nf_ct_expect_hsize);
 }
+static bool
+nf_ct_exp_equal(const struct nf_conntrack_tuple *tuple,
+                const struct nf_conntrack_expect *i,
+                const struct nf_conntrack_zone *zone,
+                const struct net *net)
+{
+        return nf_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask) &&
+               net_eq(net, nf_ct_net(i->master)) &&
+               nf_ct_zone_equal_any(i->master, zone);
+}
 struct nf_conntrack_expect *
 __nf_ct_expect_find(struct net *net,
                    const struct nf_conntrack_zone *zone,
@@ -99,8 +110,7 @@ __nf_ct_expect_find(struct net *net,
        h = nf_ct_expect_dst_hash(tuple);
        hlist_for_each_entry_rcu(i, &net->ct.expect_hash[h], hnode) {
-                if (nf_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask) &&
+                if (nf_ct_exp_equal(tuple, i, zone, net))
-                    nf_ct_zone_equal_any(i->master, zone))
                        return i;
        }
        return NULL;
@@ -141,8 +151,7 @@ nf_ct_find_expectation(struct net *net,
        h = nf_ct_expect_dst_hash(tuple);
        hlist_for_each_entry(i, &net->ct.expect_hash[h], hnode) {
                if (!(i->flags & NF_CT_EXPECT_INACTIVE) &&
-                    nf_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask) &&
+                    nf_ct_exp_equal(tuple, i, zone, net)) {
-                    nf_ct_zone_equal_any(i->master, zone)) {
                        exp = i;
                        break;
                }
@@ -222,6 +231,7 @@ static inline int expect_clash(const struct nf_conntrack_expect *a,
        }
        return nf_ct_tuple_mask_cmp(&a->tuple, &b->tuple, &intersect_mask) &&
+               net_eq(nf_ct_net(a->master), nf_ct_net(b->master)) &&
               nf_ct_zone_equal_any(a->master, nf_ct_zone(b->master));
 }
@@ -231,6 +241,7 @@ static inline int expect_matches(const struct nf_conntrack_expect *a,
        return a->master == b->master && a->class == b->class &&
               nf_ct_tuple_equal(&a->tuple, &b->tuple) &&
               nf_ct_tuple_mask_equal(&a->mask, &b->mask) &&
+               net_eq(nf_ct_net(a->master), nf_ct_net(b->master)) &&
               nf_ct_zone_equal_any(a->master, nf_ct_zone(b->master));
 }
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index e00f178c48b0..5dfb84d86143 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -2636,6 +2636,10 @@ restart:
                                     hnode) {
                        if (l3proto && exp->tuple.src.l3num != l3proto)
                                continue;
+                        if (!net_eq(nf_ct_net(exp->master), net))
+                                continue;
                        if (cb->args[1]) {
                                if (exp != last)
                                        continue;
@@ -2888,6 +2892,10 @@ static int ctnetlink_del_expect(struct net *net, struct sock *ctnl,
                        hlist_for_each_entry_safe(exp, next,
                                                  &net->ct.expect_hash[i],
                                                  hnode) {
+                                if (!net_eq(nf_ct_exp_net(exp), net))
+                                        continue;
                                m_help = nfct_help(exp->master);
                                if (!strcmp(m_help->helper->name, name) &&
                                    del_timer(&exp->timeout)) {
@@ -2906,6 +2914,10 @@ static int ctnetlink_del_expect(struct net *net, struct sock *ctnl,
                        hlist_for_each_entry_safe(exp, next,
                                                  &net->ct.expect_hash[i],
                                                  hnode) {
+                                if (!net_eq(nf_ct_exp_net(exp), net))
+                                        continue;
                                if (del_timer(&exp->timeout)) {
                                        nf_ct_unlink_expect_report(exp,
                                                        NETLINK_CB(skb).portid,
author	Florian Westphal <fw@strlen.de>	2016-05-05 18:51:47 -0400
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2016-05-06 05:50:01 -0400
commit	03d7dc5cdfe6fd4e5bd04cfc2be7ae259f956428 (patch)
tree	154c3f3f33680d9294dd10c50eb5217f2ace6887
parent	cb39ad8b8ef224c544074962780bf763077d6141 (diff)