diff options
| author | Denis V. Lunev <den@openvz.org> | 2007-11-30 08:21:31 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2008-01-28 17:54:24 -0500 |
| commit | b854272b3c732316676e9128f7b9e6f1e1ff88b0 (patch) | |
| tree | c90c74b9ec068453881f1173da4c57d6bb00a7d9 /net/core/neighbour.c | |
| parent | ad5d20a63940fcfb40af76ba06148f36d5d0b433 (diff) | |
[NET]: Modify all rtnetlink methods to only work in the initial namespace (v2)
Before I can enable rtnetlink to work in all network namespaces I need
to be certain that something won't break. So this patch deliberately
disables all of the rtnletlink methods in everything except the
initial network namespace. After the methods have been audited this
extra check can be disabled.
Changes from v1:
- added IPv6 addrlabel protection
Signed-off-by: Denis V. Lunev <den@openvz.org>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Diffstat (limited to 'net/core/neighbour.c')
| -rw-r--r-- | net/core/neighbour.c | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/net/core/neighbour.c b/net/core/neighbour.c index 175bbc0a974e..29f0a4d2008f 100644 --- a/net/core/neighbour.c +++ b/net/core/neighbour.c | |||
| @@ -1449,6 +1449,9 @@ static int neigh_delete(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) | |||
| 1449 | struct net_device *dev = NULL; | 1449 | struct net_device *dev = NULL; |
| 1450 | int err = -EINVAL; | 1450 | int err = -EINVAL; |
| 1451 | 1451 | ||
| 1452 | if (net != &init_net) | ||
| 1453 | return -EINVAL; | ||
| 1454 | |||
| 1452 | if (nlmsg_len(nlh) < sizeof(*ndm)) | 1455 | if (nlmsg_len(nlh) < sizeof(*ndm)) |
| 1453 | goto out; | 1456 | goto out; |
| 1454 | 1457 | ||
| @@ -1515,6 +1518,9 @@ static int neigh_add(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) | |||
| 1515 | struct net_device *dev = NULL; | 1518 | struct net_device *dev = NULL; |
| 1516 | int err; | 1519 | int err; |
| 1517 | 1520 | ||
| 1521 | if (net != &init_net) | ||
| 1522 | return -EINVAL; | ||
| 1523 | |||
| 1518 | err = nlmsg_parse(nlh, sizeof(*ndm), tb, NDA_MAX, NULL); | 1524 | err = nlmsg_parse(nlh, sizeof(*ndm), tb, NDA_MAX, NULL); |
| 1519 | if (err < 0) | 1525 | if (err < 0) |
| 1520 | goto out; | 1526 | goto out; |
| @@ -1789,11 +1795,15 @@ static const struct nla_policy nl_ntbl_parm_policy[NDTPA_MAX+1] = { | |||
| 1789 | 1795 | ||
| 1790 | static int neightbl_set(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) | 1796 | static int neightbl_set(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) |
| 1791 | { | 1797 | { |
| 1798 | struct net *net = skb->sk->sk_net; | ||
| 1792 | struct neigh_table *tbl; | 1799 | struct neigh_table *tbl; |
| 1793 | struct ndtmsg *ndtmsg; | 1800 | struct ndtmsg *ndtmsg; |
| 1794 | struct nlattr *tb[NDTA_MAX+1]; | 1801 | struct nlattr *tb[NDTA_MAX+1]; |
| 1795 | int err; | 1802 | int err; |
| 1796 | 1803 | ||
| 1804 | if (net != &init_net) | ||
| 1805 | return -EINVAL; | ||
| 1806 | |||
| 1797 | err = nlmsg_parse(nlh, sizeof(*ndtmsg), tb, NDTA_MAX, | 1807 | err = nlmsg_parse(nlh, sizeof(*ndtmsg), tb, NDTA_MAX, |
| 1798 | nl_neightbl_policy); | 1808 | nl_neightbl_policy); |
| 1799 | if (err < 0) | 1809 | if (err < 0) |
| @@ -1913,11 +1923,15 @@ errout: | |||
| 1913 | 1923 | ||
| 1914 | static int neightbl_dump_info(struct sk_buff *skb, struct netlink_callback *cb) | 1924 | static int neightbl_dump_info(struct sk_buff *skb, struct netlink_callback *cb) |
| 1915 | { | 1925 | { |
| 1926 | struct net *net = skb->sk->sk_net; | ||
| 1916 | int family, tidx, nidx = 0; | 1927 | int family, tidx, nidx = 0; |
| 1917 | int tbl_skip = cb->args[0]; | 1928 | int tbl_skip = cb->args[0]; |
| 1918 | int neigh_skip = cb->args[1]; | 1929 | int neigh_skip = cb->args[1]; |
| 1919 | struct neigh_table *tbl; | 1930 | struct neigh_table *tbl; |
| 1920 | 1931 | ||
| 1932 | if (net != &init_net) | ||
| 1933 | return 0; | ||
| 1934 | |||
| 1921 | family = ((struct rtgenmsg *) nlmsg_data(cb->nlh))->rtgen_family; | 1935 | family = ((struct rtgenmsg *) nlmsg_data(cb->nlh))->rtgen_family; |
| 1922 | 1936 | ||
| 1923 | read_lock(&neigh_tbl_lock); | 1937 | read_lock(&neigh_tbl_lock); |
| @@ -2042,9 +2056,13 @@ out: | |||
| 2042 | 2056 | ||
| 2043 | static int neigh_dump_info(struct sk_buff *skb, struct netlink_callback *cb) | 2057 | static int neigh_dump_info(struct sk_buff *skb, struct netlink_callback *cb) |
| 2044 | { | 2058 | { |
| 2059 | struct net *net = skb->sk->sk_net; | ||
| 2045 | struct neigh_table *tbl; | 2060 | struct neigh_table *tbl; |
| 2046 | int t, family, s_t; | 2061 | int t, family, s_t; |
| 2047 | 2062 | ||
| 2063 | if (net != &init_net) | ||
| 2064 | return 0; | ||
| 2065 | |||
| 2048 | read_lock(&neigh_tbl_lock); | 2066 | read_lock(&neigh_tbl_lock); |
| 2049 | family = ((struct rtgenmsg *) nlmsg_data(cb->nlh))->rtgen_family; | 2067 | family = ((struct rtgenmsg *) nlmsg_data(cb->nlh))->rtgen_family; |
| 2050 | s_t = cb->args[0]; | 2068 | s_t = cb->args[0]; |