diff options
author | Denis V. Lunev <den@openvz.org> | 2007-11-20 01:28:35 -0500 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2008-01-28 17:54:26 -0500 |
commit | d12d01d6b4d197115c4d7736172b5b1ec8b1eb71 (patch) | |
tree | 480fc48e6ae404b59d2f62a7e3afc6ea88a5413c /net/packet | |
parent | 4b3da706bbe4613d2fe4df8df4d965954ea98964 (diff) |
[NET]: Make AF_PACKET handle multiple network namespaces
This is done by making packet_sklist_lock and packet_sklist per
network namespace and adding an additional filter condition on
received packets to ensure they came from the proper network
namespace.
Changes from v1:
- prohibit to call inet_dgram_ops.ioctl in other than init_net
Signed-off-by: Denis V. Lunev <den@openvz.org>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/packet')
-rw-r--r-- | net/packet/af_packet.c | 131 |
1 files changed, 85 insertions, 46 deletions
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c index 8a7807dbba01..45e3cbcb2763 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c | |||
@@ -135,10 +135,6 @@ dev->hard_header == NULL (ll header is added by device, we cannot control it) | |||
135 | packet classifier depends on it. | 135 | packet classifier depends on it. |
136 | */ | 136 | */ |
137 | 137 | ||
138 | /* List of all packet sockets. */ | ||
139 | static HLIST_HEAD(packet_sklist); | ||
140 | static DEFINE_RWLOCK(packet_sklist_lock); | ||
141 | |||
142 | /* Private packet socket structures. */ | 138 | /* Private packet socket structures. */ |
143 | 139 | ||
144 | struct packet_mclist | 140 | struct packet_mclist |
@@ -246,9 +242,6 @@ static int packet_rcv_spkt(struct sk_buff *skb, struct net_device *dev, struct | |||
246 | struct sock *sk; | 242 | struct sock *sk; |
247 | struct sockaddr_pkt *spkt; | 243 | struct sockaddr_pkt *spkt; |
248 | 244 | ||
249 | if (dev->nd_net != &init_net) | ||
250 | goto out; | ||
251 | |||
252 | /* | 245 | /* |
253 | * When we registered the protocol we saved the socket in the data | 246 | * When we registered the protocol we saved the socket in the data |
254 | * field for just this event. | 247 | * field for just this event. |
@@ -270,6 +263,9 @@ static int packet_rcv_spkt(struct sk_buff *skb, struct net_device *dev, struct | |||
270 | if (skb->pkt_type == PACKET_LOOPBACK) | 263 | if (skb->pkt_type == PACKET_LOOPBACK) |
271 | goto out; | 264 | goto out; |
272 | 265 | ||
266 | if (dev->nd_net != sk->sk_net) | ||
267 | goto out; | ||
268 | |||
273 | if ((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL) | 269 | if ((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL) |
274 | goto oom; | 270 | goto oom; |
275 | 271 | ||
@@ -341,7 +337,7 @@ static int packet_sendmsg_spkt(struct kiocb *iocb, struct socket *sock, | |||
341 | */ | 337 | */ |
342 | 338 | ||
343 | saddr->spkt_device[13] = 0; | 339 | saddr->spkt_device[13] = 0; |
344 | dev = dev_get_by_name(&init_net, saddr->spkt_device); | 340 | dev = dev_get_by_name(sk->sk_net, saddr->spkt_device); |
345 | err = -ENODEV; | 341 | err = -ENODEV; |
346 | if (dev == NULL) | 342 | if (dev == NULL) |
347 | goto out_unlock; | 343 | goto out_unlock; |
@@ -449,15 +445,15 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev, struct packet | |||
449 | int skb_len = skb->len; | 445 | int skb_len = skb->len; |
450 | unsigned int snaplen, res; | 446 | unsigned int snaplen, res; |
451 | 447 | ||
452 | if (dev->nd_net != &init_net) | ||
453 | goto drop; | ||
454 | |||
455 | if (skb->pkt_type == PACKET_LOOPBACK) | 448 | if (skb->pkt_type == PACKET_LOOPBACK) |
456 | goto drop; | 449 | goto drop; |
457 | 450 | ||
458 | sk = pt->af_packet_priv; | 451 | sk = pt->af_packet_priv; |
459 | po = pkt_sk(sk); | 452 | po = pkt_sk(sk); |
460 | 453 | ||
454 | if (dev->nd_net != sk->sk_net) | ||
455 | goto drop; | ||
456 | |||
461 | skb->dev = dev; | 457 | skb->dev = dev; |
462 | 458 | ||
463 | if (dev->header_ops) { | 459 | if (dev->header_ops) { |
@@ -566,15 +562,15 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, struct packe | |||
566 | struct sk_buff *copy_skb = NULL; | 562 | struct sk_buff *copy_skb = NULL; |
567 | struct timeval tv; | 563 | struct timeval tv; |
568 | 564 | ||
569 | if (dev->nd_net != &init_net) | ||
570 | goto drop; | ||
571 | |||
572 | if (skb->pkt_type == PACKET_LOOPBACK) | 565 | if (skb->pkt_type == PACKET_LOOPBACK) |
573 | goto drop; | 566 | goto drop; |
574 | 567 | ||
575 | sk = pt->af_packet_priv; | 568 | sk = pt->af_packet_priv; |
576 | po = pkt_sk(sk); | 569 | po = pkt_sk(sk); |
577 | 570 | ||
571 | if (dev->nd_net != sk->sk_net) | ||
572 | goto drop; | ||
573 | |||
578 | if (dev->header_ops) { | 574 | if (dev->header_ops) { |
579 | if (sk->sk_type != SOCK_DGRAM) | 575 | if (sk->sk_type != SOCK_DGRAM) |
580 | skb_push(skb, skb->data - skb_mac_header(skb)); | 576 | skb_push(skb, skb->data - skb_mac_header(skb)); |
@@ -732,7 +728,7 @@ static int packet_sendmsg(struct kiocb *iocb, struct socket *sock, | |||
732 | } | 728 | } |
733 | 729 | ||
734 | 730 | ||
735 | dev = dev_get_by_index(&init_net, ifindex); | 731 | dev = dev_get_by_index(sk->sk_net, ifindex); |
736 | err = -ENXIO; | 732 | err = -ENXIO; |
737 | if (dev == NULL) | 733 | if (dev == NULL) |
738 | goto out_unlock; | 734 | goto out_unlock; |
@@ -799,15 +795,17 @@ static int packet_release(struct socket *sock) | |||
799 | { | 795 | { |
800 | struct sock *sk = sock->sk; | 796 | struct sock *sk = sock->sk; |
801 | struct packet_sock *po; | 797 | struct packet_sock *po; |
798 | struct net *net; | ||
802 | 799 | ||
803 | if (!sk) | 800 | if (!sk) |
804 | return 0; | 801 | return 0; |
805 | 802 | ||
803 | net = sk->sk_net; | ||
806 | po = pkt_sk(sk); | 804 | po = pkt_sk(sk); |
807 | 805 | ||
808 | write_lock_bh(&packet_sklist_lock); | 806 | write_lock_bh(&net->packet_sklist_lock); |
809 | sk_del_node_init(sk); | 807 | sk_del_node_init(sk); |
810 | write_unlock_bh(&packet_sklist_lock); | 808 | write_unlock_bh(&net->packet_sklist_lock); |
811 | 809 | ||
812 | /* | 810 | /* |
813 | * Unhook packet receive handler. | 811 | * Unhook packet receive handler. |
@@ -916,7 +914,7 @@ static int packet_bind_spkt(struct socket *sock, struct sockaddr *uaddr, int add | |||
916 | return -EINVAL; | 914 | return -EINVAL; |
917 | strlcpy(name,uaddr->sa_data,sizeof(name)); | 915 | strlcpy(name,uaddr->sa_data,sizeof(name)); |
918 | 916 | ||
919 | dev = dev_get_by_name(&init_net, name); | 917 | dev = dev_get_by_name(sk->sk_net, name); |
920 | if (dev) { | 918 | if (dev) { |
921 | err = packet_do_bind(sk, dev, pkt_sk(sk)->num); | 919 | err = packet_do_bind(sk, dev, pkt_sk(sk)->num); |
922 | dev_put(dev); | 920 | dev_put(dev); |
@@ -943,7 +941,7 @@ static int packet_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len | |||
943 | 941 | ||
944 | if (sll->sll_ifindex) { | 942 | if (sll->sll_ifindex) { |
945 | err = -ENODEV; | 943 | err = -ENODEV; |
946 | dev = dev_get_by_index(&init_net, sll->sll_ifindex); | 944 | dev = dev_get_by_index(sk->sk_net, sll->sll_ifindex); |
947 | if (dev == NULL) | 945 | if (dev == NULL) |
948 | goto out; | 946 | goto out; |
949 | } | 947 | } |
@@ -972,9 +970,6 @@ static int packet_create(struct net *net, struct socket *sock, int protocol) | |||
972 | __be16 proto = (__force __be16)protocol; /* weird, but documented */ | 970 | __be16 proto = (__force __be16)protocol; /* weird, but documented */ |
973 | int err; | 971 | int err; |
974 | 972 | ||
975 | if (net != &init_net) | ||
976 | return -EAFNOSUPPORT; | ||
977 | |||
978 | if (!capable(CAP_NET_RAW)) | 973 | if (!capable(CAP_NET_RAW)) |
979 | return -EPERM; | 974 | return -EPERM; |
980 | if (sock->type != SOCK_DGRAM && sock->type != SOCK_RAW && | 975 | if (sock->type != SOCK_DGRAM && sock->type != SOCK_RAW && |
@@ -1020,9 +1015,9 @@ static int packet_create(struct net *net, struct socket *sock, int protocol) | |||
1020 | po->running = 1; | 1015 | po->running = 1; |
1021 | } | 1016 | } |
1022 | 1017 | ||
1023 | write_lock_bh(&packet_sklist_lock); | 1018 | write_lock_bh(&net->packet_sklist_lock); |
1024 | sk_add_node(sk, &packet_sklist); | 1019 | sk_add_node(sk, &net->packet_sklist); |
1025 | write_unlock_bh(&packet_sklist_lock); | 1020 | write_unlock_bh(&net->packet_sklist_lock); |
1026 | return(0); | 1021 | return(0); |
1027 | out: | 1022 | out: |
1028 | return err; | 1023 | return err; |
@@ -1140,7 +1135,7 @@ static int packet_getname_spkt(struct socket *sock, struct sockaddr *uaddr, | |||
1140 | return -EOPNOTSUPP; | 1135 | return -EOPNOTSUPP; |
1141 | 1136 | ||
1142 | uaddr->sa_family = AF_PACKET; | 1137 | uaddr->sa_family = AF_PACKET; |
1143 | dev = dev_get_by_index(&init_net, pkt_sk(sk)->ifindex); | 1138 | dev = dev_get_by_index(sk->sk_net, pkt_sk(sk)->ifindex); |
1144 | if (dev) { | 1139 | if (dev) { |
1145 | strlcpy(uaddr->sa_data, dev->name, 15); | 1140 | strlcpy(uaddr->sa_data, dev->name, 15); |
1146 | dev_put(dev); | 1141 | dev_put(dev); |
@@ -1165,7 +1160,7 @@ static int packet_getname(struct socket *sock, struct sockaddr *uaddr, | |||
1165 | sll->sll_family = AF_PACKET; | 1160 | sll->sll_family = AF_PACKET; |
1166 | sll->sll_ifindex = po->ifindex; | 1161 | sll->sll_ifindex = po->ifindex; |
1167 | sll->sll_protocol = po->num; | 1162 | sll->sll_protocol = po->num; |
1168 | dev = dev_get_by_index(&init_net, po->ifindex); | 1163 | dev = dev_get_by_index(sk->sk_net, po->ifindex); |
1169 | if (dev) { | 1164 | if (dev) { |
1170 | sll->sll_hatype = dev->type; | 1165 | sll->sll_hatype = dev->type; |
1171 | sll->sll_halen = dev->addr_len; | 1166 | sll->sll_halen = dev->addr_len; |
@@ -1217,7 +1212,7 @@ static int packet_mc_add(struct sock *sk, struct packet_mreq_max *mreq) | |||
1217 | rtnl_lock(); | 1212 | rtnl_lock(); |
1218 | 1213 | ||
1219 | err = -ENODEV; | 1214 | err = -ENODEV; |
1220 | dev = __dev_get_by_index(&init_net, mreq->mr_ifindex); | 1215 | dev = __dev_get_by_index(sk->sk_net, mreq->mr_ifindex); |
1221 | if (!dev) | 1216 | if (!dev) |
1222 | goto done; | 1217 | goto done; |
1223 | 1218 | ||
@@ -1271,7 +1266,7 @@ static int packet_mc_drop(struct sock *sk, struct packet_mreq_max *mreq) | |||
1271 | if (--ml->count == 0) { | 1266 | if (--ml->count == 0) { |
1272 | struct net_device *dev; | 1267 | struct net_device *dev; |
1273 | *mlp = ml->next; | 1268 | *mlp = ml->next; |
1274 | dev = dev_get_by_index(&init_net, ml->ifindex); | 1269 | dev = dev_get_by_index(sk->sk_net, ml->ifindex); |
1275 | if (dev) { | 1270 | if (dev) { |
1276 | packet_dev_mc(dev, ml, -1); | 1271 | packet_dev_mc(dev, ml, -1); |
1277 | dev_put(dev); | 1272 | dev_put(dev); |
@@ -1299,7 +1294,7 @@ static void packet_flush_mclist(struct sock *sk) | |||
1299 | struct net_device *dev; | 1294 | struct net_device *dev; |
1300 | 1295 | ||
1301 | po->mclist = ml->next; | 1296 | po->mclist = ml->next; |
1302 | if ((dev = dev_get_by_index(&init_net, ml->ifindex)) != NULL) { | 1297 | if ((dev = dev_get_by_index(sk->sk_net, ml->ifindex)) != NULL) { |
1303 | packet_dev_mc(dev, ml, -1); | 1298 | packet_dev_mc(dev, ml, -1); |
1304 | dev_put(dev); | 1299 | dev_put(dev); |
1305 | } | 1300 | } |
@@ -1455,12 +1450,10 @@ static int packet_notifier(struct notifier_block *this, unsigned long msg, void | |||
1455 | struct sock *sk; | 1450 | struct sock *sk; |
1456 | struct hlist_node *node; | 1451 | struct hlist_node *node; |
1457 | struct net_device *dev = data; | 1452 | struct net_device *dev = data; |
1453 | struct net *net = dev->nd_net; | ||
1458 | 1454 | ||
1459 | if (dev->nd_net != &init_net) | 1455 | read_lock(&net->packet_sklist_lock); |
1460 | return NOTIFY_DONE; | 1456 | sk_for_each(sk, node, &net->packet_sklist) { |
1461 | |||
1462 | read_lock(&packet_sklist_lock); | ||
1463 | sk_for_each(sk, node, &packet_sklist) { | ||
1464 | struct packet_sock *po = pkt_sk(sk); | 1457 | struct packet_sock *po = pkt_sk(sk); |
1465 | 1458 | ||
1466 | switch (msg) { | 1459 | switch (msg) { |
@@ -1499,7 +1492,7 @@ static int packet_notifier(struct notifier_block *this, unsigned long msg, void | |||
1499 | break; | 1492 | break; |
1500 | } | 1493 | } |
1501 | } | 1494 | } |
1502 | read_unlock(&packet_sklist_lock); | 1495 | read_unlock(&net->packet_sklist_lock); |
1503 | return NOTIFY_DONE; | 1496 | return NOTIFY_DONE; |
1504 | } | 1497 | } |
1505 | 1498 | ||
@@ -1547,6 +1540,8 @@ static int packet_ioctl(struct socket *sock, unsigned int cmd, | |||
1547 | case SIOCGIFDSTADDR: | 1540 | case SIOCGIFDSTADDR: |
1548 | case SIOCSIFDSTADDR: | 1541 | case SIOCSIFDSTADDR: |
1549 | case SIOCSIFFLAGS: | 1542 | case SIOCSIFFLAGS: |
1543 | if (sk->sk_net != &init_net) | ||
1544 | return -ENOIOCTLCMD; | ||
1550 | return inet_dgram_ops.ioctl(sock, cmd, arg); | 1545 | return inet_dgram_ops.ioctl(sock, cmd, arg); |
1551 | #endif | 1546 | #endif |
1552 | 1547 | ||
@@ -1862,12 +1857,12 @@ static struct notifier_block packet_netdev_notifier = { | |||
1862 | }; | 1857 | }; |
1863 | 1858 | ||
1864 | #ifdef CONFIG_PROC_FS | 1859 | #ifdef CONFIG_PROC_FS |
1865 | static inline struct sock *packet_seq_idx(loff_t off) | 1860 | static inline struct sock *packet_seq_idx(struct net *net, loff_t off) |
1866 | { | 1861 | { |
1867 | struct sock *s; | 1862 | struct sock *s; |
1868 | struct hlist_node *node; | 1863 | struct hlist_node *node; |
1869 | 1864 | ||
1870 | sk_for_each(s, node, &packet_sklist) { | 1865 | sk_for_each(s, node, &net->packet_sklist) { |
1871 | if (!off--) | 1866 | if (!off--) |
1872 | return s; | 1867 | return s; |
1873 | } | 1868 | } |
@@ -1876,21 +1871,24 @@ static inline struct sock *packet_seq_idx(loff_t off) | |||
1876 | 1871 | ||
1877 | static void *packet_seq_start(struct seq_file *seq, loff_t *pos) | 1872 | static void *packet_seq_start(struct seq_file *seq, loff_t *pos) |
1878 | { | 1873 | { |
1879 | read_lock(&packet_sklist_lock); | 1874 | struct net *net = seq->private; |
1880 | return *pos ? packet_seq_idx(*pos - 1) : SEQ_START_TOKEN; | 1875 | read_lock(&net->packet_sklist_lock); |
1876 | return *pos ? packet_seq_idx(net, *pos - 1) : SEQ_START_TOKEN; | ||
1881 | } | 1877 | } |
1882 | 1878 | ||
1883 | static void *packet_seq_next(struct seq_file *seq, void *v, loff_t *pos) | 1879 | static void *packet_seq_next(struct seq_file *seq, void *v, loff_t *pos) |
1884 | { | 1880 | { |
1881 | struct net *net = seq->private; | ||
1885 | ++*pos; | 1882 | ++*pos; |
1886 | return (v == SEQ_START_TOKEN) | 1883 | return (v == SEQ_START_TOKEN) |
1887 | ? sk_head(&packet_sklist) | 1884 | ? sk_head(&net->packet_sklist) |
1888 | : sk_next((struct sock*)v) ; | 1885 | : sk_next((struct sock*)v) ; |
1889 | } | 1886 | } |
1890 | 1887 | ||
1891 | static void packet_seq_stop(struct seq_file *seq, void *v) | 1888 | static void packet_seq_stop(struct seq_file *seq, void *v) |
1892 | { | 1889 | { |
1893 | read_unlock(&packet_sklist_lock); | 1890 | struct net *net = seq->private; |
1891 | read_unlock(&net->packet_sklist_lock); | ||
1894 | } | 1892 | } |
1895 | 1893 | ||
1896 | static int packet_seq_show(struct seq_file *seq, void *v) | 1894 | static int packet_seq_show(struct seq_file *seq, void *v) |
@@ -1926,7 +1924,26 @@ static const struct seq_operations packet_seq_ops = { | |||
1926 | 1924 | ||
1927 | static int packet_seq_open(struct inode *inode, struct file *file) | 1925 | static int packet_seq_open(struct inode *inode, struct file *file) |
1928 | { | 1926 | { |
1929 | return seq_open(file, &packet_seq_ops); | 1927 | struct seq_file *seq; |
1928 | int res; | ||
1929 | res = seq_open(file, &packet_seq_ops); | ||
1930 | if (!res) { | ||
1931 | seq = file->private_data; | ||
1932 | seq->private = get_proc_net(inode); | ||
1933 | if (!seq->private) { | ||
1934 | seq_release(inode, file); | ||
1935 | res = -ENXIO; | ||
1936 | } | ||
1937 | } | ||
1938 | return res; | ||
1939 | } | ||
1940 | |||
1941 | static int packet_seq_release(struct inode *inode, struct file *file) | ||
1942 | { | ||
1943 | struct seq_file *seq= file->private_data; | ||
1944 | struct net *net = seq->private; | ||
1945 | put_net(net); | ||
1946 | return seq_release(inode, file); | ||
1930 | } | 1947 | } |
1931 | 1948 | ||
1932 | static const struct file_operations packet_seq_fops = { | 1949 | static const struct file_operations packet_seq_fops = { |
@@ -1934,15 +1951,37 @@ static const struct file_operations packet_seq_fops = { | |||
1934 | .open = packet_seq_open, | 1951 | .open = packet_seq_open, |
1935 | .read = seq_read, | 1952 | .read = seq_read, |
1936 | .llseek = seq_lseek, | 1953 | .llseek = seq_lseek, |
1937 | .release = seq_release, | 1954 | .release = packet_seq_release, |
1938 | }; | 1955 | }; |
1939 | 1956 | ||
1940 | #endif | 1957 | #endif |
1941 | 1958 | ||
1959 | static int packet_net_init(struct net *net) | ||
1960 | { | ||
1961 | rwlock_init(&net->packet_sklist_lock); | ||
1962 | INIT_HLIST_HEAD(&net->packet_sklist); | ||
1963 | |||
1964 | if (!proc_net_fops_create(net, "packet", 0, &packet_seq_fops)) | ||
1965 | return -ENOMEM; | ||
1966 | |||
1967 | return 0; | ||
1968 | } | ||
1969 | |||
1970 | static void packet_net_exit(struct net *net) | ||
1971 | { | ||
1972 | proc_net_remove(net, "packet"); | ||
1973 | } | ||
1974 | |||
1975 | static struct pernet_operations packet_net_ops = { | ||
1976 | .init = packet_net_init, | ||
1977 | .exit = packet_net_exit, | ||
1978 | }; | ||
1979 | |||
1980 | |||
1942 | static void __exit packet_exit(void) | 1981 | static void __exit packet_exit(void) |
1943 | { | 1982 | { |
1944 | proc_net_remove(&init_net, "packet"); | ||
1945 | unregister_netdevice_notifier(&packet_netdev_notifier); | 1983 | unregister_netdevice_notifier(&packet_netdev_notifier); |
1984 | unregister_pernet_subsys(&packet_net_ops); | ||
1946 | sock_unregister(PF_PACKET); | 1985 | sock_unregister(PF_PACKET); |
1947 | proto_unregister(&packet_proto); | 1986 | proto_unregister(&packet_proto); |
1948 | } | 1987 | } |
@@ -1955,8 +1994,8 @@ static int __init packet_init(void) | |||
1955 | goto out; | 1994 | goto out; |
1956 | 1995 | ||
1957 | sock_register(&packet_family_ops); | 1996 | sock_register(&packet_family_ops); |
1997 | register_pernet_subsys(&packet_net_ops); | ||
1958 | register_netdevice_notifier(&packet_netdev_notifier); | 1998 | register_netdevice_notifier(&packet_netdev_notifier); |
1959 | proc_net_fops_create(&init_net, "packet", 0, &packet_seq_fops); | ||
1960 | out: | 1999 | out: |
1961 | return rc; | 2000 | return rc; |
1962 | } | 2001 | } |