diff options
| author | Alexey Dobriyan <adobriyan@gmail.com> | 2008-07-08 05:36:18 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2008-07-08 05:36:18 -0400 |
| commit | 43de9dfeaa30f7ed801dc1c38bdb63b1738bddcc (patch) | |
| tree | 756447886ded9413fbe010f5820dfa3d60baf199 | |
| parent | b891c5a831b13f74989dcbd7b39d04537b2a05d9 (diff) | |
netfilter: ip6table_filter in netns for real
One still needs to remove checks in nf_hook_slow() and nf_sockopt_find()
to test this, though.
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | net/ipv6/netfilter/ip6table_filter.c | 31 |
1 files changed, 22 insertions, 9 deletions
diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c index f979e48b469b..55a2c290bad4 100644 --- a/net/ipv6/netfilter/ip6table_filter.c +++ b/net/ipv6/netfilter/ip6table_filter.c | |||
| @@ -61,13 +61,25 @@ static struct xt_table packet_filter = { | |||
| 61 | 61 | ||
| 62 | /* The work comes in here from netfilter.c. */ | 62 | /* The work comes in here from netfilter.c. */ |
| 63 | static unsigned int | 63 | static unsigned int |
| 64 | ip6t_hook(unsigned int hook, | 64 | ip6t_local_in_hook(unsigned int hook, |
| 65 | struct sk_buff *skb, | 65 | struct sk_buff *skb, |
| 66 | const struct net_device *in, | 66 | const struct net_device *in, |
| 67 | const struct net_device *out, | 67 | const struct net_device *out, |
| 68 | int (*okfn)(struct sk_buff *)) | 68 | int (*okfn)(struct sk_buff *)) |
| 69 | { | ||
| 70 | return ip6t_do_table(skb, hook, in, out, | ||
| 71 | nf_local_in_net(in, out)->ipv6.ip6table_filter); | ||
| 72 | } | ||
| 73 | |||
| 74 | static unsigned int | ||
| 75 | ip6t_forward_hook(unsigned int hook, | ||
| 76 | struct sk_buff *skb, | ||
| 77 | const struct net_device *in, | ||
| 78 | const struct net_device *out, | ||
| 79 | int (*okfn)(struct sk_buff *)) | ||
| 69 | { | 80 | { |
| 70 | return ip6t_do_table(skb, hook, in, out, init_net.ipv6.ip6table_filter); | 81 | return ip6t_do_table(skb, hook, in, out, |
| 82 | nf_forward_net(in, out)->ipv6.ip6table_filter); | ||
| 71 | } | 83 | } |
| 72 | 84 | ||
| 73 | static unsigned int | 85 | static unsigned int |
| @@ -87,19 +99,20 @@ ip6t_local_out_hook(unsigned int hook, | |||
| 87 | } | 99 | } |
| 88 | #endif | 100 | #endif |
| 89 | 101 | ||
| 90 | return ip6t_do_table(skb, hook, in, out, init_net.ipv6.ip6table_filter); | 102 | return ip6t_do_table(skb, hook, in, out, |
| 103 | nf_local_out_net(in, out)->ipv6.ip6table_filter); | ||
| 91 | } | 104 | } |
| 92 | 105 | ||
| 93 | static struct nf_hook_ops ip6t_ops[] __read_mostly = { | 106 | static struct nf_hook_ops ip6t_ops[] __read_mostly = { |
| 94 | { | 107 | { |
| 95 | .hook = ip6t_hook, | 108 | .hook = ip6t_local_in_hook, |
| 96 | .owner = THIS_MODULE, | 109 | .owner = THIS_MODULE, |
| 97 | .pf = PF_INET6, | 110 | .pf = PF_INET6, |
| 98 | .hooknum = NF_INET_LOCAL_IN, | 111 | .hooknum = NF_INET_LOCAL_IN, |
| 99 | .priority = NF_IP6_PRI_FILTER, | 112 | .priority = NF_IP6_PRI_FILTER, |
| 100 | }, | 113 | }, |
| 101 | { | 114 | { |
| 102 | .hook = ip6t_hook, | 115 | .hook = ip6t_forward_hook, |
| 103 | .owner = THIS_MODULE, | 116 | .owner = THIS_MODULE, |
| 104 | .pf = PF_INET6, | 117 | .pf = PF_INET6, |
| 105 | .hooknum = NF_INET_FORWARD, | 118 | .hooknum = NF_INET_FORWARD, |