[NETFILTER] nfnetlink: unconditionally require CAP_NET_ADMIN

This patch unconditionally requires CAP_NET_ADMIN for all nfnetlink messages. It also removes the per-message cap_required field, since all existing subsystems use CAP_NET_ADMIN for all their messages anyway. Patrick McHardy owes me a beer if we ever need to re-introduce this. Signed-off-by: Harald Welte <laforge@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Harald Welte <laforge@netfilter.org> 2005-11-14 18:24:59 -0500
committer: David S. Miller <davem@davemloft.net> 2005-11-14 18:24:59 -0500
commit: 37d2e7a20d745035b600f1a6be56cbb9c7259419 (patch)
tree: c76e0ba522d34c8b3021bf0f012632f7877f5281 /net/ipv4
parent: 3746a2b1402e7933c7f1eabdce384b8454dc2ef7 (diff)
1 files changed, 7 insertions, 14 deletions
diff --git a/net/ipv4/netfilter/ip_conntrack_netlink.c b/net/ipv4/netfilter/ip_conntrack_netlink.c
index f5e5e3158670..de9f4464438d 100644
--- a/net/ipv4/netfilter/ip_conntrack_netlink.c
+++ b/net/ipv4/netfilter/ip_conntrack_netlink.c
@@ -1543,29 +1543,22 @@ static struct notifier_block ctnl_notifier_exp = {
 static struct nfnl_callback ctnl_cb[IPCTNL_MSG_MAX] = {
        [IPCTNL_MSG_CT_NEW]             = { .call = ctnetlink_new_conntrack,
-                                            .attr_count = CTA_MAX,
+                                            .attr_count = CTA_MAX, },
-                                            .cap_required = CAP_NET_ADMIN },
        [IPCTNL_MSG_CT_GET]             = { .call = ctnetlink_get_conntrack,
-                                            .attr_count = CTA_MAX,
+                                            .attr_count = CTA_MAX, },
-                                            .cap_required = CAP_NET_ADMIN },
        [IPCTNL_MSG_CT_DELETE]          = { .call = ctnetlink_del_conntrack,
-                                            .attr_count = CTA_MAX,
+                                            .attr_count = CTA_MAX, },
-                                            .cap_required = CAP_NET_ADMIN },
        [IPCTNL_MSG_CT_GET_CTRZERO]     = { .call = ctnetlink_get_conntrack,
-                                            .attr_count = CTA_MAX,
+                                            .attr_count = CTA_MAX, },
-                                            .cap_required = CAP_NET_ADMIN },
 };
 static struct nfnl_callback ctnl_exp_cb[IPCTNL_MSG_EXP_MAX] = {
        [IPCTNL_MSG_EXP_GET]            = { .call = ctnetlink_get_expect,
-                                            .attr_count = CTA_EXPECT_MAX,
+                                            .attr_count = CTA_EXPECT_MAX, },
-                                            .cap_required = CAP_NET_ADMIN },
        [IPCTNL_MSG_EXP_NEW]            = { .call = ctnetlink_new_expect,
-                                            .attr_count = CTA_EXPECT_MAX,
+                                            .attr_count = CTA_EXPECT_MAX, },
-                                            .cap_required = CAP_NET_ADMIN },
        [IPCTNL_MSG_EXP_DELETE]         = { .call = ctnetlink_del_expect,
-                                            .attr_count = CTA_EXPECT_MAX,
+                                            .attr_count = CTA_EXPECT_MAX, },
-                                            .cap_required = CAP_NET_ADMIN },
 };
 static struct nfnetlink_subsystem ctnl_subsys = {
author	Harald Welte <laforge@netfilter.org>	2005-11-14 18:24:59 -0500
committer	David S. Miller <davem@davemloft.net>	2005-11-14 18:24:59 -0500
commit	37d2e7a20d745035b600f1a6be56cbb9c7259419 (patch)
tree	c76e0ba522d34c8b3021bf0f012632f7877f5281 /net/ipv4
parent	3746a2b1402e7933c7f1eabdce384b8454dc2ef7 (diff)