diff options
| author | Denis V. Lunev <den@openvz.org> | 2008-03-24 18:33:00 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2008-03-24 18:33:00 -0400 |
| commit | f145049a06f470d0489f47cb83ff3ccb2a0de622 (patch) | |
| tree | 2d25f9af4c1e599763f01f9338ed8bf0517ddac1 | |
| parent | 0be43f82c4f4c4a999b53cf794513f7f1a4ed7f3 (diff) | |
[NETNS]: Drop packets in the non-initial namespace on the per/protocol basis.
IP layer now can handle multiple namespaces normally. So, process such
packets normally and drop them only if the transport layer is not
aware about namespaces.
Signed-off-by: Denis V. Lunev <den@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | include/net/protocol.h | 3 | ||||
| -rw-r--r-- | net/ipv4/ip_input.c | 8 |
2 files changed, 6 insertions, 5 deletions
diff --git a/include/net/protocol.h b/include/net/protocol.h index ad8c584233a6..8d024d7cb741 100644 --- a/include/net/protocol.h +++ b/include/net/protocol.h | |||
| @@ -39,7 +39,8 @@ struct net_protocol { | |||
| 39 | int (*gso_send_check)(struct sk_buff *skb); | 39 | int (*gso_send_check)(struct sk_buff *skb); |
| 40 | struct sk_buff *(*gso_segment)(struct sk_buff *skb, | 40 | struct sk_buff *(*gso_segment)(struct sk_buff *skb, |
| 41 | int features); | 41 | int features); |
| 42 | int no_policy; | 42 | unsigned int no_policy:1, |
| 43 | netns_ok:1; | ||
| 43 | }; | 44 | }; |
| 44 | 45 | ||
| 45 | #if defined(CONFIG_IPV6) || defined (CONFIG_IPV6_MODULE) | 46 | #if defined(CONFIG_IPV6) || defined (CONFIG_IPV6_MODULE) |
diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c index eb1fa27dc0c4..2aeea5d15425 100644 --- a/net/ipv4/ip_input.c +++ b/net/ipv4/ip_input.c | |||
| @@ -199,6 +199,8 @@ int ip_call_ra_chain(struct sk_buff *skb) | |||
| 199 | 199 | ||
| 200 | static int ip_local_deliver_finish(struct sk_buff *skb) | 200 | static int ip_local_deliver_finish(struct sk_buff *skb) |
| 201 | { | 201 | { |
| 202 | struct net *net = skb->dev->nd_net; | ||
| 203 | |||
| 202 | __skb_pull(skb, ip_hdrlen(skb)); | 204 | __skb_pull(skb, ip_hdrlen(skb)); |
| 203 | 205 | ||
| 204 | /* Point into the IP datagram, just past the header. */ | 206 | /* Point into the IP datagram, just past the header. */ |
| @@ -214,7 +216,8 @@ static int ip_local_deliver_finish(struct sk_buff *skb) | |||
| 214 | raw = raw_local_deliver(skb, protocol); | 216 | raw = raw_local_deliver(skb, protocol); |
| 215 | 217 | ||
| 216 | hash = protocol & (MAX_INET_PROTOS - 1); | 218 | hash = protocol & (MAX_INET_PROTOS - 1); |
| 217 | if ((ipprot = rcu_dereference(inet_protos[hash])) != NULL) { | 219 | ipprot = rcu_dereference(inet_protos[hash]); |
| 220 | if (ipprot != NULL && (net == &init_net || ipprot->netns_ok)) { | ||
| 218 | int ret; | 221 | int ret; |
| 219 | 222 | ||
| 220 | if (!ipprot->no_policy) { | 223 | if (!ipprot->no_policy) { |
| @@ -375,9 +378,6 @@ int ip_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt, | |||
| 375 | struct iphdr *iph; | 378 | struct iphdr *iph; |
| 376 | u32 len; | 379 | u32 len; |
| 377 | 380 | ||
| 378 | if (dev->nd_net != &init_net) | ||
| 379 | goto drop; | ||
| 380 | |||
| 381 | /* When the interface is in promisc. mode, drop all the crap | 381 | /* When the interface is in promisc. mode, drop all the crap |
| 382 | * that it receives, do not try to analyse it. | 382 | * that it receives, do not try to analyse it. |
| 383 | */ | 383 | */ |