diff options
author | Alexey Dobriyan <adobriyan@gmail.com> | 2008-11-04 08:22:55 -0500 |
---|---|---|
committer | Patrick McHardy <kaber@trash.net> | 2008-11-04 08:22:55 -0500 |
commit | 511061e2dd1b84bb21bb97c9216a19606c29ac02 (patch) | |
tree | 8979b8d7708fb29520afca9ae76feec92d5b6c6d | |
parent | 19223f26d97077da8cf25251458afe00cae20cbb (diff) |
netfilter: netns ebtables: part 1
* propagate netns from userspace, register table in passed netns
* remporarily register every ebt_table in init_net
P. S.: one needs to add ".netns_ok = 1" to igmp_protocol to test with
ebtables(8) in netns.
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
-rw-r--r-- | include/linux/netfilter_bridge/ebtables.h | 2 | ||||
-rw-r--r-- | net/bridge/netfilter/ebtable_broute.c | 2 | ||||
-rw-r--r-- | net/bridge/netfilter/ebtable_filter.c | 2 | ||||
-rw-r--r-- | net/bridge/netfilter/ebtable_nat.c | 2 | ||||
-rw-r--r-- | net/bridge/netfilter/ebtables.c | 27 |
5 files changed, 18 insertions, 17 deletions
diff --git a/include/linux/netfilter_bridge/ebtables.h b/include/linux/netfilter_bridge/ebtables.h index d45e29cd1cfb..624e7883068c 100644 --- a/include/linux/netfilter_bridge/ebtables.h +++ b/include/linux/netfilter_bridge/ebtables.h | |||
@@ -300,7 +300,7 @@ struct ebt_table | |||
300 | 300 | ||
301 | #define EBT_ALIGN(s) (((s) + (__alignof__(struct ebt_replace)-1)) & \ | 301 | #define EBT_ALIGN(s) (((s) + (__alignof__(struct ebt_replace)-1)) & \ |
302 | ~(__alignof__(struct ebt_replace)-1)) | 302 | ~(__alignof__(struct ebt_replace)-1)) |
303 | extern int ebt_register_table(struct ebt_table *table); | 303 | extern int ebt_register_table(struct net *net, struct ebt_table *table); |
304 | extern void ebt_unregister_table(struct ebt_table *table); | 304 | extern void ebt_unregister_table(struct ebt_table *table); |
305 | extern unsigned int ebt_do_table(unsigned int hook, struct sk_buff *skb, | 305 | extern unsigned int ebt_do_table(unsigned int hook, struct sk_buff *skb, |
306 | const struct net_device *in, const struct net_device *out, | 306 | const struct net_device *in, const struct net_device *out, |
diff --git a/net/bridge/netfilter/ebtable_broute.c b/net/bridge/netfilter/ebtable_broute.c index 246626bb0c87..1731ce8f7479 100644 --- a/net/bridge/netfilter/ebtable_broute.c +++ b/net/bridge/netfilter/ebtable_broute.c | |||
@@ -66,7 +66,7 @@ static int __init ebtable_broute_init(void) | |||
66 | { | 66 | { |
67 | int ret; | 67 | int ret; |
68 | 68 | ||
69 | ret = ebt_register_table(&broute_table); | 69 | ret = ebt_register_table(&init_net, &broute_table); |
70 | if (ret < 0) | 70 | if (ret < 0) |
71 | return ret; | 71 | return ret; |
72 | /* see br_input.c */ | 72 | /* see br_input.c */ |
diff --git a/net/bridge/netfilter/ebtable_filter.c b/net/bridge/netfilter/ebtable_filter.c index 1a58af51a2e2..af8953c9a57c 100644 --- a/net/bridge/netfilter/ebtable_filter.c +++ b/net/bridge/netfilter/ebtable_filter.c | |||
@@ -95,7 +95,7 @@ static int __init ebtable_filter_init(void) | |||
95 | { | 95 | { |
96 | int ret; | 96 | int ret; |
97 | 97 | ||
98 | ret = ebt_register_table(&frame_filter); | 98 | ret = ebt_register_table(&init_net, &frame_filter); |
99 | if (ret < 0) | 99 | if (ret < 0) |
100 | return ret; | 100 | return ret; |
101 | ret = nf_register_hooks(ebt_ops_filter, ARRAY_SIZE(ebt_ops_filter)); | 101 | ret = nf_register_hooks(ebt_ops_filter, ARRAY_SIZE(ebt_ops_filter)); |
diff --git a/net/bridge/netfilter/ebtable_nat.c b/net/bridge/netfilter/ebtable_nat.c index f60c1e78e575..bafe16029bd7 100644 --- a/net/bridge/netfilter/ebtable_nat.c +++ b/net/bridge/netfilter/ebtable_nat.c | |||
@@ -102,7 +102,7 @@ static int __init ebtable_nat_init(void) | |||
102 | { | 102 | { |
103 | int ret; | 103 | int ret; |
104 | 104 | ||
105 | ret = ebt_register_table(&frame_nat); | 105 | ret = ebt_register_table(&init_net, &frame_nat); |
106 | if (ret < 0) | 106 | if (ret < 0) |
107 | return ret; | 107 | return ret; |
108 | ret = nf_register_hooks(ebt_ops_nat, ARRAY_SIZE(ebt_ops_nat)); | 108 | ret = nf_register_hooks(ebt_ops_nat, ARRAY_SIZE(ebt_ops_nat)); |
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c index 0fa208e86405..c1a82b2826eb 100644 --- a/net/bridge/netfilter/ebtables.c +++ b/net/bridge/netfilter/ebtables.c | |||
@@ -55,7 +55,6 @@ | |||
55 | 55 | ||
56 | 56 | ||
57 | static DEFINE_MUTEX(ebt_mutex); | 57 | static DEFINE_MUTEX(ebt_mutex); |
58 | static LIST_HEAD(ebt_tables); | ||
59 | 58 | ||
60 | static struct xt_target ebt_standard_target = { | 59 | static struct xt_target ebt_standard_target = { |
61 | .name = "standard", | 60 | .name = "standard", |
@@ -315,9 +314,11 @@ find_inlist_lock(struct list_head *head, const char *name, const char *prefix, | |||
315 | } | 314 | } |
316 | 315 | ||
317 | static inline struct ebt_table * | 316 | static inline struct ebt_table * |
318 | find_table_lock(const char *name, int *error, struct mutex *mutex) | 317 | find_table_lock(struct net *net, const char *name, int *error, |
318 | struct mutex *mutex) | ||
319 | { | 319 | { |
320 | return find_inlist_lock(&ebt_tables, name, "ebtable_", error, mutex); | 320 | return find_inlist_lock(&net->xt.tables[NFPROTO_BRIDGE], name, |
321 | "ebtable_", error, mutex); | ||
321 | } | 322 | } |
322 | 323 | ||
323 | static inline int | 324 | static inline int |
@@ -944,7 +945,7 @@ static void get_counters(struct ebt_counter *oldcounters, | |||
944 | } | 945 | } |
945 | 946 | ||
946 | /* replace the table */ | 947 | /* replace the table */ |
947 | static int do_replace(void __user *user, unsigned int len) | 948 | static int do_replace(struct net *net, void __user *user, unsigned int len) |
948 | { | 949 | { |
949 | int ret, i, countersize; | 950 | int ret, i, countersize; |
950 | struct ebt_table_info *newinfo; | 951 | struct ebt_table_info *newinfo; |
@@ -1016,7 +1017,7 @@ static int do_replace(void __user *user, unsigned int len) | |||
1016 | if (ret != 0) | 1017 | if (ret != 0) |
1017 | goto free_counterstmp; | 1018 | goto free_counterstmp; |
1018 | 1019 | ||
1019 | t = find_table_lock(tmp.name, &ret, &ebt_mutex); | 1020 | t = find_table_lock(net, tmp.name, &ret, &ebt_mutex); |
1020 | if (!t) { | 1021 | if (!t) { |
1021 | ret = -ENOENT; | 1022 | ret = -ENOENT; |
1022 | goto free_iterate; | 1023 | goto free_iterate; |
@@ -1097,7 +1098,7 @@ free_newinfo: | |||
1097 | return ret; | 1098 | return ret; |
1098 | } | 1099 | } |
1099 | 1100 | ||
1100 | int ebt_register_table(struct ebt_table *table) | 1101 | int ebt_register_table(struct net *net, struct ebt_table *table) |
1101 | { | 1102 | { |
1102 | struct ebt_table_info *newinfo; | 1103 | struct ebt_table_info *newinfo; |
1103 | struct ebt_table *t; | 1104 | struct ebt_table *t; |
@@ -1157,7 +1158,7 @@ int ebt_register_table(struct ebt_table *table) | |||
1157 | if (ret != 0) | 1158 | if (ret != 0) |
1158 | goto free_chainstack; | 1159 | goto free_chainstack; |
1159 | 1160 | ||
1160 | list_for_each_entry(t, &ebt_tables, list) { | 1161 | list_for_each_entry(t, &net->xt.tables[NFPROTO_BRIDGE], list) { |
1161 | if (strcmp(t->name, table->name) == 0) { | 1162 | if (strcmp(t->name, table->name) == 0) { |
1162 | ret = -EEXIST; | 1163 | ret = -EEXIST; |
1163 | BUGPRINT("Table name already exists\n"); | 1164 | BUGPRINT("Table name already exists\n"); |
@@ -1170,7 +1171,7 @@ int ebt_register_table(struct ebt_table *table) | |||
1170 | ret = -ENOENT; | 1171 | ret = -ENOENT; |
1171 | goto free_unlock; | 1172 | goto free_unlock; |
1172 | } | 1173 | } |
1173 | list_add(&table->list, &ebt_tables); | 1174 | list_add(&table->list, &net->xt.tables[NFPROTO_BRIDGE]); |
1174 | mutex_unlock(&ebt_mutex); | 1175 | mutex_unlock(&ebt_mutex); |
1175 | return 0; | 1176 | return 0; |
1176 | free_unlock: | 1177 | free_unlock: |
@@ -1208,7 +1209,7 @@ void ebt_unregister_table(struct ebt_table *table) | |||
1208 | } | 1209 | } |
1209 | 1210 | ||
1210 | /* userspace just supplied us with counters */ | 1211 | /* userspace just supplied us with counters */ |
1211 | static int update_counters(void __user *user, unsigned int len) | 1212 | static int update_counters(struct net *net, void __user *user, unsigned int len) |
1212 | { | 1213 | { |
1213 | int i, ret; | 1214 | int i, ret; |
1214 | struct ebt_counter *tmp; | 1215 | struct ebt_counter *tmp; |
@@ -1228,7 +1229,7 @@ static int update_counters(void __user *user, unsigned int len) | |||
1228 | return -ENOMEM; | 1229 | return -ENOMEM; |
1229 | } | 1230 | } |
1230 | 1231 | ||
1231 | t = find_table_lock(hlp.name, &ret, &ebt_mutex); | 1232 | t = find_table_lock(net, hlp.name, &ret, &ebt_mutex); |
1232 | if (!t) | 1233 | if (!t) |
1233 | goto free_tmp; | 1234 | goto free_tmp; |
1234 | 1235 | ||
@@ -1386,10 +1387,10 @@ static int do_ebt_set_ctl(struct sock *sk, | |||
1386 | 1387 | ||
1387 | switch(cmd) { | 1388 | switch(cmd) { |
1388 | case EBT_SO_SET_ENTRIES: | 1389 | case EBT_SO_SET_ENTRIES: |
1389 | ret = do_replace(user, len); | 1390 | ret = do_replace(sock_net(sk), user, len); |
1390 | break; | 1391 | break; |
1391 | case EBT_SO_SET_COUNTERS: | 1392 | case EBT_SO_SET_COUNTERS: |
1392 | ret = update_counters(user, len); | 1393 | ret = update_counters(sock_net(sk), user, len); |
1393 | break; | 1394 | break; |
1394 | default: | 1395 | default: |
1395 | ret = -EINVAL; | 1396 | ret = -EINVAL; |
@@ -1406,7 +1407,7 @@ static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len) | |||
1406 | if (copy_from_user(&tmp, user, sizeof(tmp))) | 1407 | if (copy_from_user(&tmp, user, sizeof(tmp))) |
1407 | return -EFAULT; | 1408 | return -EFAULT; |
1408 | 1409 | ||
1409 | t = find_table_lock(tmp.name, &ret, &ebt_mutex); | 1410 | t = find_table_lock(sock_net(sk), tmp.name, &ret, &ebt_mutex); |
1410 | if (!t) | 1411 | if (!t) |
1411 | return ret; | 1412 | return ret; |
1412 | 1413 | ||