[NET]: Support multiple network namespaces with netlink

Each netlink socket will live in exactly one network namespace,
this includes the controlling kernel sockets.

This patch updates all of the existing netlink protocols
to only support the initial network namespace.  Request
by clients in other namespaces will get -ECONREFUSED.
As they would if the kernel did not have the support for
that netlink protocol compiled in.

As each netlink protocol is updated to be multiple network
namespace safe it can register multiple kernel sockets
to acquire a presence in the rest of the network namespaces.

The implementation in af_netlink is a simple filter implementation
at hash table insertion and hash table look up time.

Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

4 files changed, 9 insertions, 8 deletions

diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index cefb55ec3d62..140bf7a8d877 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -816,8 +816,8 @@ static void nl_fib_input(struct sock *sk, int len)
 
 static void nl_fib_lookup_init(void)
 {
-      netlink_kernel_create(NETLINK_FIB_LOOKUP, 0, nl_fib_input, NULL,
-                            THIS_MODULE);
+        netlink_kernel_create(&init_net, NETLINK_FIB_LOOKUP, 0, nl_fib_input,
+                                NULL, THIS_MODULE);
 }
 
 static void fib_disable_ip(struct net_device *dev, int force)
diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c
index 686ddd62f71a..031cc4856b49 100644
--- a/net/ipv4/inet_diag.c
+++ b/net/ipv4/inet_diag.c
@@ -897,8 +897,8 @@ static int __init inet_diag_init(void)
         if (!inet_diag_table)
                 goto out;
 
-        idiagnl = netlink_kernel_create(NETLINK_INET_DIAG, 0, inet_diag_rcv,
-                                        NULL, THIS_MODULE);
+        idiagnl = netlink_kernel_create(&init_net, NETLINK_INET_DIAG, 0,
+                                        inet_diag_rcv, NULL, THIS_MODULE);
         if (idiagnl == NULL)
                 goto out_free_table;
         err = 0;
diff --git a/net/ipv4/netfilter/ip_queue.c b/net/ipv4/netfilter/ip_queue.c
index d91856097f25..82fda92e6b97 100644
--- a/net/ipv4/netfilter/ip_queue.c
+++ b/net/ipv4/netfilter/ip_queue.c
@@ -579,7 +579,7 @@ ipq_rcv_nl_event(struct notifier_block *this,
         if (event == NETLINK_URELEASE &&
             n->protocol == NETLINK_FIREWALL && n->pid) {
                 write_lock_bh(&queue_lock);
-                if (n->pid == peer_pid)
+                if ((n->net == &init_net) && (n->pid == peer_pid))
                         __ipq_reset();
                 write_unlock_bh(&queue_lock);
         }
@@ -671,8 +671,8 @@ static int __init ip_queue_init(void)
         struct proc_dir_entry *proc;
 
         netlink_register_notifier(&ipq_nl_notifier);
-        ipqnl = netlink_kernel_create(NETLINK_FIREWALL, 0, ipq_rcv_sk,
-                                      NULL, THIS_MODULE);
+        ipqnl = netlink_kernel_create(&init_net, NETLINK_FIREWALL, 0,
+                                      ipq_rcv_sk, NULL, THIS_MODULE);
         if (ipqnl == NULL) {
                 printk(KERN_ERR "ip_queue: failed to create netlink socket\n");
                 goto cleanup_netlink_notifier;
diff --git a/net/ipv4/netfilter/ipt_ULOG.c b/net/ipv4/netfilter/ipt_ULOG.c
index 6ca43e4ca7e3..c636d6d63574 100644
--- a/net/ipv4/netfilter/ipt_ULOG.c
+++ b/net/ipv4/netfilter/ipt_ULOG.c
@@ -409,7 +409,8 @@ static int __init ipt_ulog_init(void)
         for (i = 0; i < ULOG_MAXNLGROUPS; i++)
                 setup_timer(&ulog_buffers[i].timer, ulog_timer, i);
 
-        nflognl = netlink_kernel_create(NETLINK_NFLOG, ULOG_MAXNLGROUPS, NULL,
+        nflognl = netlink_kernel_create(&init_net,
+                                        NETLINK_NFLOG, ULOG_MAXNLGROUPS, NULL,
                                         NULL, THIS_MODULE);
         if (!nflognl)
                 return -ENOMEM;