aboutsummaryrefslogtreecommitdiffstats
path: root/net/ipv6
diff options
context:
space:
mode:
authorAlexey Dobriyan <adobriyan@gmail.com>2008-10-08 05:35:02 -0400
committerPatrick McHardy <kaber@trash.net>2008-10-08 05:35:02 -0400
commite10aad9998e463df8e25ec749538faf3324dd31b (patch)
tree713fc7842695820ff55d74bc34abc72141359231 /net/ipv6
parent7dd1b8dad84c9561fe8949ed5db4de15aee877eb (diff)
netfilter: netns: ip6t_REJECT in netns for real
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
Diffstat (limited to 'net/ipv6')
-rw-r--r--net/ipv6/netfilter/ip6t_REJECT.c22
1 files changed, 12 insertions, 10 deletions
diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c
index 672ad9ff3e27..f1a9fce1ec95 100644
--- a/net/ipv6/netfilter/ip6t_REJECT.c
+++ b/net/ipv6/netfilter/ip6t_REJECT.c
@@ -35,7 +35,7 @@ MODULE_DESCRIPTION("Xtables: packet \"rejection\" target for IPv6");
35MODULE_LICENSE("GPL"); 35MODULE_LICENSE("GPL");
36 36
37/* Send RST reply */ 37/* Send RST reply */
38static void send_reset(struct sk_buff *oldskb) 38static void send_reset(struct net *net, struct sk_buff *oldskb)
39{ 39{
40 struct sk_buff *nskb; 40 struct sk_buff *nskb;
41 struct tcphdr otcph, *tcph; 41 struct tcphdr otcph, *tcph;
@@ -94,7 +94,7 @@ static void send_reset(struct sk_buff *oldskb)
94 fl.fl_ip_sport = otcph.dest; 94 fl.fl_ip_sport = otcph.dest;
95 fl.fl_ip_dport = otcph.source; 95 fl.fl_ip_dport = otcph.source;
96 security_skb_classify_flow(oldskb, &fl); 96 security_skb_classify_flow(oldskb, &fl);
97 dst = ip6_route_output(&init_net, NULL, &fl); 97 dst = ip6_route_output(net, NULL, &fl);
98 if (dst == NULL) 98 if (dst == NULL)
99 return; 99 return;
100 if (dst->error || xfrm_lookup(&dst, &fl, NULL, 0)) 100 if (dst->error || xfrm_lookup(&dst, &fl, NULL, 0))
@@ -163,10 +163,11 @@ static void send_reset(struct sk_buff *oldskb)
163} 163}
164 164
165static inline void 165static inline void
166send_unreach(struct sk_buff *skb_in, unsigned char code, unsigned int hooknum) 166send_unreach(struct net *net, struct sk_buff *skb_in, unsigned char code,
167 unsigned int hooknum)
167{ 168{
168 if (hooknum == NF_INET_LOCAL_OUT && skb_in->dev == NULL) 169 if (hooknum == NF_INET_LOCAL_OUT && skb_in->dev == NULL)
169 skb_in->dev = init_net.loopback_dev; 170 skb_in->dev = net->loopback_dev;
170 171
171 icmpv6_send(skb_in, ICMPV6_DEST_UNREACH, code, 0, NULL); 172 icmpv6_send(skb_in, ICMPV6_DEST_UNREACH, code, 0, NULL);
172} 173}
@@ -177,6 +178,7 @@ reject_tg6(struct sk_buff *skb, const struct net_device *in,
177 const struct xt_target *target, const void *targinfo) 178 const struct xt_target *target, const void *targinfo)
178{ 179{
179 const struct ip6t_reject_info *reject = targinfo; 180 const struct ip6t_reject_info *reject = targinfo;
181 struct net *net = dev_net(in ? in : out);
180 182
181 pr_debug("%s: medium point\n", __func__); 183 pr_debug("%s: medium point\n", __func__);
182 /* WARNING: This code causes reentry within ip6tables. 184 /* WARNING: This code causes reentry within ip6tables.
@@ -184,25 +186,25 @@ reject_tg6(struct sk_buff *skb, const struct net_device *in,
184 must return an absolute verdict. --RR */ 186 must return an absolute verdict. --RR */
185 switch (reject->with) { 187 switch (reject->with) {
186 case IP6T_ICMP6_NO_ROUTE: 188 case IP6T_ICMP6_NO_ROUTE:
187 send_unreach(skb, ICMPV6_NOROUTE, hooknum); 189 send_unreach(net, skb, ICMPV6_NOROUTE, hooknum);
188 break; 190 break;
189 case IP6T_ICMP6_ADM_PROHIBITED: 191 case IP6T_ICMP6_ADM_PROHIBITED:
190 send_unreach(skb, ICMPV6_ADM_PROHIBITED, hooknum); 192 send_unreach(net, skb, ICMPV6_ADM_PROHIBITED, hooknum);
191 break; 193 break;
192 case IP6T_ICMP6_NOT_NEIGHBOUR: 194 case IP6T_ICMP6_NOT_NEIGHBOUR:
193 send_unreach(skb, ICMPV6_NOT_NEIGHBOUR, hooknum); 195 send_unreach(net, skb, ICMPV6_NOT_NEIGHBOUR, hooknum);
194 break; 196 break;
195 case IP6T_ICMP6_ADDR_UNREACH: 197 case IP6T_ICMP6_ADDR_UNREACH:
196 send_unreach(skb, ICMPV6_ADDR_UNREACH, hooknum); 198 send_unreach(net, skb, ICMPV6_ADDR_UNREACH, hooknum);
197 break; 199 break;
198 case IP6T_ICMP6_PORT_UNREACH: 200 case IP6T_ICMP6_PORT_UNREACH:
199 send_unreach(skb, ICMPV6_PORT_UNREACH, hooknum); 201 send_unreach(net, skb, ICMPV6_PORT_UNREACH, hooknum);
200 break; 202 break;
201 case IP6T_ICMP6_ECHOREPLY: 203 case IP6T_ICMP6_ECHOREPLY:
202 /* Do nothing */ 204 /* Do nothing */
203 break; 205 break;
204 case IP6T_TCP_RESET: 206 case IP6T_TCP_RESET:
205 send_reset(skb); 207 send_reset(net, skb);
206 break; 208 break;
207 default: 209 default:
208 if (net_ratelimit()) 210 if (net_ratelimit())