diff options
author | Denis V. Lunev <den@openvz.org> | 2008-03-24 18:33:00 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2008-03-24 18:33:00 -0400 |
commit | f145049a06f470d0489f47cb83ff3ccb2a0de622 (patch) | |
tree | 2d25f9af4c1e599763f01f9338ed8bf0517ddac1 | |
parent | 0be43f82c4f4c4a999b53cf794513f7f1a4ed7f3 (diff) |
[NETNS]: Drop packets in the non-initial namespace on the per/protocol basis.
IP layer now can handle multiple namespaces normally. So, process such
packets normally and drop them only if the transport layer is not
aware about namespaces.
Signed-off-by: Denis V. Lunev <den@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | include/net/protocol.h | 3 | ||||
-rw-r--r-- | net/ipv4/ip_input.c | 8 |
2 files changed, 6 insertions, 5 deletions
diff --git a/include/net/protocol.h b/include/net/protocol.h index ad8c584233a6..8d024d7cb741 100644 --- a/include/net/protocol.h +++ b/include/net/protocol.h | |||
@@ -39,7 +39,8 @@ struct net_protocol { | |||
39 | int (*gso_send_check)(struct sk_buff *skb); | 39 | int (*gso_send_check)(struct sk_buff *skb); |
40 | struct sk_buff *(*gso_segment)(struct sk_buff *skb, | 40 | struct sk_buff *(*gso_segment)(struct sk_buff *skb, |
41 | int features); | 41 | int features); |
42 | int no_policy; | 42 | unsigned int no_policy:1, |
43 | netns_ok:1; | ||
43 | }; | 44 | }; |
44 | 45 | ||
45 | #if defined(CONFIG_IPV6) || defined (CONFIG_IPV6_MODULE) | 46 | #if defined(CONFIG_IPV6) || defined (CONFIG_IPV6_MODULE) |
diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c index eb1fa27dc0c4..2aeea5d15425 100644 --- a/net/ipv4/ip_input.c +++ b/net/ipv4/ip_input.c | |||
@@ -199,6 +199,8 @@ int ip_call_ra_chain(struct sk_buff *skb) | |||
199 | 199 | ||
200 | static int ip_local_deliver_finish(struct sk_buff *skb) | 200 | static int ip_local_deliver_finish(struct sk_buff *skb) |
201 | { | 201 | { |
202 | struct net *net = skb->dev->nd_net; | ||
203 | |||
202 | __skb_pull(skb, ip_hdrlen(skb)); | 204 | __skb_pull(skb, ip_hdrlen(skb)); |
203 | 205 | ||
204 | /* Point into the IP datagram, just past the header. */ | 206 | /* Point into the IP datagram, just past the header. */ |
@@ -214,7 +216,8 @@ static int ip_local_deliver_finish(struct sk_buff *skb) | |||
214 | raw = raw_local_deliver(skb, protocol); | 216 | raw = raw_local_deliver(skb, protocol); |
215 | 217 | ||
216 | hash = protocol & (MAX_INET_PROTOS - 1); | 218 | hash = protocol & (MAX_INET_PROTOS - 1); |
217 | if ((ipprot = rcu_dereference(inet_protos[hash])) != NULL) { | 219 | ipprot = rcu_dereference(inet_protos[hash]); |
220 | if (ipprot != NULL && (net == &init_net || ipprot->netns_ok)) { | ||
218 | int ret; | 221 | int ret; |
219 | 222 | ||
220 | if (!ipprot->no_policy) { | 223 | if (!ipprot->no_policy) { |
@@ -375,9 +378,6 @@ int ip_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt, | |||
375 | struct iphdr *iph; | 378 | struct iphdr *iph; |
376 | u32 len; | 379 | u32 len; |
377 | 380 | ||
378 | if (dev->nd_net != &init_net) | ||
379 | goto drop; | ||
380 | |||
381 | /* When the interface is in promisc. mode, drop all the crap | 381 | /* When the interface is in promisc. mode, drop all the crap |
382 | * that it receives, do not try to analyse it. | 382 | * that it receives, do not try to analyse it. |
383 | */ | 383 | */ |