diff options
| author | Denis V. Lunev <den@openvz.org> | 2007-11-30 08:21:31 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2008-01-28 17:54:24 -0500 |
| commit | b854272b3c732316676e9128f7b9e6f1e1ff88b0 (patch) | |
| tree | c90c74b9ec068453881f1173da4c57d6bb00a7d9 /net/ipv4/fib_frontend.c | |
| parent | ad5d20a63940fcfb40af76ba06148f36d5d0b433 (diff) | |
[NET]: Modify all rtnetlink methods to only work in the initial namespace (v2)
Before I can enable rtnetlink to work in all network namespaces I need
to be certain that something won't break. So this patch deliberately
disables all of the rtnletlink methods in everything except the
initial network namespace. After the methods have been audited this
extra check can be disabled.
Changes from v1:
- added IPv6 addrlabel protection
Signed-off-by: Denis V. Lunev <den@openvz.org>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Diffstat (limited to 'net/ipv4/fib_frontend.c')
| -rw-r--r-- | net/ipv4/fib_frontend.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c index 97abf934d185..e02aba5fa136 100644 --- a/net/ipv4/fib_frontend.c +++ b/net/ipv4/fib_frontend.c | |||
| @@ -538,10 +538,14 @@ errout: | |||
| 538 | 538 | ||
| 539 | static int inet_rtm_delroute(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg) | 539 | static int inet_rtm_delroute(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg) |
| 540 | { | 540 | { |
| 541 | struct net *net = skb->sk->sk_net; | ||
| 541 | struct fib_config cfg; | 542 | struct fib_config cfg; |
| 542 | struct fib_table *tb; | 543 | struct fib_table *tb; |
| 543 | int err; | 544 | int err; |
| 544 | 545 | ||
| 546 | if (net != &init_net) | ||
| 547 | return -EINVAL; | ||
| 548 | |||
| 545 | err = rtm_to_fib_config(skb, nlh, &cfg); | 549 | err = rtm_to_fib_config(skb, nlh, &cfg); |
| 546 | if (err < 0) | 550 | if (err < 0) |
| 547 | goto errout; | 551 | goto errout; |
| @@ -559,10 +563,14 @@ errout: | |||
| 559 | 563 | ||
| 560 | static int inet_rtm_newroute(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg) | 564 | static int inet_rtm_newroute(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg) |
| 561 | { | 565 | { |
| 566 | struct net *net = skb->sk->sk_net; | ||
| 562 | struct fib_config cfg; | 567 | struct fib_config cfg; |
| 563 | struct fib_table *tb; | 568 | struct fib_table *tb; |
| 564 | int err; | 569 | int err; |
| 565 | 570 | ||
| 571 | if (net != &init_net) | ||
| 572 | return -EINVAL; | ||
| 573 | |||
| 566 | err = rtm_to_fib_config(skb, nlh, &cfg); | 574 | err = rtm_to_fib_config(skb, nlh, &cfg); |
| 567 | if (err < 0) | 575 | if (err < 0) |
| 568 | goto errout; | 576 | goto errout; |
| @@ -580,12 +588,16 @@ errout: | |||
| 580 | 588 | ||
| 581 | static int inet_dump_fib(struct sk_buff *skb, struct netlink_callback *cb) | 589 | static int inet_dump_fib(struct sk_buff *skb, struct netlink_callback *cb) |
| 582 | { | 590 | { |
| 591 | struct net *net = skb->sk->sk_net; | ||
| 583 | unsigned int h, s_h; | 592 | unsigned int h, s_h; |
| 584 | unsigned int e = 0, s_e; | 593 | unsigned int e = 0, s_e; |
| 585 | struct fib_table *tb; | 594 | struct fib_table *tb; |
| 586 | struct hlist_node *node; | 595 | struct hlist_node *node; |
| 587 | int dumped = 0; | 596 | int dumped = 0; |
| 588 | 597 | ||
| 598 | if (net != &init_net) | ||
| 599 | return 0; | ||
| 600 | |||
| 589 | if (nlmsg_len(cb->nlh) >= sizeof(struct rtmsg) && | 601 | if (nlmsg_len(cb->nlh) >= sizeof(struct rtmsg) && |
| 590 | ((struct rtmsg *) nlmsg_data(cb->nlh))->rtm_flags & RTM_F_CLONED) | 602 | ((struct rtmsg *) nlmsg_data(cb->nlh))->rtm_flags & RTM_F_CLONED) |
| 591 | return ip_rt_dump(skb, cb); | 603 | return ip_rt_dump(skb, cb); |