diff options
| author | Arnd Bergmann <arnd@arndb.de> | 2010-01-30 07:23:03 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2010-02-03 23:20:32 -0500 |
| commit | 8a83a00b0735190384a348156837918271034144 (patch) | |
| tree | f69d903405e2424c196d8648bb6cb18443359373 /net/core/dev.c | |
| parent | 6884b348ed759184032306c9435a727741a72298 (diff) | |
net: maintain namespace isolation between vlan and real device
In the vlan and macvlan drivers, the start_xmit function forwards
data to the dev_queue_xmit function for another device, which may
potentially belong to a different namespace.
To make sure that classification stays within a single namespace,
this resets the potentially critical fields.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/core/dev.c')
| -rw-r--r-- | net/core/dev.c | 35 |
1 files changed, 31 insertions, 4 deletions
diff --git a/net/core/dev.c b/net/core/dev.c index 2cba5c521e56..94c1eeed25e5 100644 --- a/net/core/dev.c +++ b/net/core/dev.c | |||
| @@ -1448,13 +1448,10 @@ int dev_forward_skb(struct net_device *dev, struct sk_buff *skb) | |||
| 1448 | if (skb->len > (dev->mtu + dev->hard_header_len)) | 1448 | if (skb->len > (dev->mtu + dev->hard_header_len)) |
| 1449 | return NET_RX_DROP; | 1449 | return NET_RX_DROP; |
| 1450 | 1450 | ||
| 1451 | skb_dst_drop(skb); | 1451 | skb_set_dev(skb, dev); |
| 1452 | skb->tstamp.tv64 = 0; | 1452 | skb->tstamp.tv64 = 0; |
| 1453 | skb->pkt_type = PACKET_HOST; | 1453 | skb->pkt_type = PACKET_HOST; |
| 1454 | skb->protocol = eth_type_trans(skb, dev); | 1454 | skb->protocol = eth_type_trans(skb, dev); |
| 1455 | skb->mark = 0; | ||
| 1456 | secpath_reset(skb); | ||
| 1457 | nf_reset(skb); | ||
| 1458 | return netif_rx(skb); | 1455 | return netif_rx(skb); |
| 1459 | } | 1456 | } |
| 1460 | EXPORT_SYMBOL_GPL(dev_forward_skb); | 1457 | EXPORT_SYMBOL_GPL(dev_forward_skb); |
| @@ -1614,6 +1611,36 @@ static bool dev_can_checksum(struct net_device *dev, struct sk_buff *skb) | |||
| 1614 | return false; | 1611 | return false; |
| 1615 | } | 1612 | } |
| 1616 | 1613 | ||
| 1614 | /** | ||
| 1615 | * skb_dev_set -- assign a new device to a buffer | ||
| 1616 | * @skb: buffer for the new device | ||
| 1617 | * @dev: network device | ||
| 1618 | * | ||
| 1619 | * If an skb is owned by a device already, we have to reset | ||
| 1620 | * all data private to the namespace a device belongs to | ||
| 1621 | * before assigning it a new device. | ||
| 1622 | */ | ||
| 1623 | #ifdef CONFIG_NET_NS | ||
| 1624 | void skb_set_dev(struct sk_buff *skb, struct net_device *dev) | ||
| 1625 | { | ||
| 1626 | skb_dst_drop(skb); | ||
| 1627 | if (skb->dev && !net_eq(dev_net(skb->dev), dev_net(dev))) { | ||
| 1628 | secpath_reset(skb); | ||
| 1629 | nf_reset(skb); | ||
| 1630 | skb_init_secmark(skb); | ||
| 1631 | skb->mark = 0; | ||
| 1632 | skb->priority = 0; | ||
| 1633 | skb->nf_trace = 0; | ||
| 1634 | skb->ipvs_property = 0; | ||
| 1635 | #ifdef CONFIG_NET_SCHED | ||
| 1636 | skb->tc_index = 0; | ||
| 1637 | #endif | ||
| 1638 | } | ||
| 1639 | skb->dev = dev; | ||
| 1640 | } | ||
| 1641 | EXPORT_SYMBOL(skb_set_dev); | ||
| 1642 | #endif /* CONFIG_NET_NS */ | ||
| 1643 | |||
| 1617 | /* | 1644 | /* |
| 1618 | * Invalidate hardware checksum when packet is to be mangled, and | 1645 | * Invalidate hardware checksum when packet is to be mangled, and |
| 1619 | * complete checksum manually on outgoing path. | 1646 | * complete checksum manually on outgoing path. |