diff options
| author | Alexey Dobriyan <adobriyan@sw.ru> | 2008-01-31 07:03:45 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2008-01-31 22:27:39 -0500 |
| commit | 336b517fdc0f92f54a3f77a2d0933f9556aa79ad (patch) | |
| tree | 49fe68be0a741de7370196be70afaa71a990e38f /net | |
| parent | 9335f047fe61587ec82ff12fbb1220bcfdd32006 (diff) | |
[NETFILTER]: ip6_tables: netns preparation
* Propagate netns from userspace down to xt_find_table_lock()
* Register ip6 tables in netns (modules still use init_net)
Signed-off-by: Alexey Dobriyan <adobriyan@sw.ru>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
| -rw-r--r-- | net/ipv6/netfilter/ip6_tables.c | 51 | ||||
| -rw-r--r-- | net/ipv6/netfilter/ip6table_filter.c | 2 | ||||
| -rw-r--r-- | net/ipv6/netfilter/ip6table_mangle.c | 2 | ||||
| -rw-r--r-- | net/ipv6/netfilter/ip6table_raw.c | 2 |
4 files changed, 30 insertions, 27 deletions
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c index b89f133f41d0..2453dfdc91aa 100644 --- a/net/ipv6/netfilter/ip6_tables.c +++ b/net/ipv6/netfilter/ip6_tables.c | |||
| @@ -1118,7 +1118,7 @@ static int compat_table_info(const struct xt_table_info *info, | |||
| 1118 | } | 1118 | } |
| 1119 | #endif | 1119 | #endif |
| 1120 | 1120 | ||
| 1121 | static int get_info(void __user *user, int *len, int compat) | 1121 | static int get_info(struct net *net, void __user *user, int *len, int compat) |
| 1122 | { | 1122 | { |
| 1123 | char name[IP6T_TABLE_MAXNAMELEN]; | 1123 | char name[IP6T_TABLE_MAXNAMELEN]; |
| 1124 | struct xt_table *t; | 1124 | struct xt_table *t; |
| @@ -1138,7 +1138,7 @@ static int get_info(void __user *user, int *len, int compat) | |||
| 1138 | if (compat) | 1138 | if (compat) |
| 1139 | xt_compat_lock(AF_INET6); | 1139 | xt_compat_lock(AF_INET6); |
| 1140 | #endif | 1140 | #endif |
| 1141 | t = try_then_request_module(xt_find_table_lock(&init_net, AF_INET6, name), | 1141 | t = try_then_request_module(xt_find_table_lock(net, AF_INET6, name), |
| 1142 | "ip6table_%s", name); | 1142 | "ip6table_%s", name); |
| 1143 | if (t && !IS_ERR(t)) { | 1143 | if (t && !IS_ERR(t)) { |
| 1144 | struct ip6t_getinfo info; | 1144 | struct ip6t_getinfo info; |
| @@ -1178,7 +1178,7 @@ static int get_info(void __user *user, int *len, int compat) | |||
| 1178 | } | 1178 | } |
| 1179 | 1179 | ||
| 1180 | static int | 1180 | static int |
| 1181 | get_entries(struct ip6t_get_entries __user *uptr, int *len) | 1181 | get_entries(struct net *net, struct ip6t_get_entries __user *uptr, int *len) |
| 1182 | { | 1182 | { |
| 1183 | int ret; | 1183 | int ret; |
| 1184 | struct ip6t_get_entries get; | 1184 | struct ip6t_get_entries get; |
| @@ -1196,7 +1196,7 @@ get_entries(struct ip6t_get_entries __user *uptr, int *len) | |||
| 1196 | return -EINVAL; | 1196 | return -EINVAL; |
| 1197 | } | 1197 | } |
| 1198 | 1198 | ||
| 1199 | t = xt_find_table_lock(&init_net, AF_INET6, get.name); | 1199 | t = xt_find_table_lock(net, AF_INET6, get.name); |
| 1200 | if (t && !IS_ERR(t)) { | 1200 | if (t && !IS_ERR(t)) { |
| 1201 | struct xt_table_info *private = t->private; | 1201 | struct xt_table_info *private = t->private; |
| 1202 | duprintf("t->private->number = %u\n", private->number); | 1202 | duprintf("t->private->number = %u\n", private->number); |
| @@ -1217,7 +1217,7 @@ get_entries(struct ip6t_get_entries __user *uptr, int *len) | |||
| 1217 | } | 1217 | } |
| 1218 | 1218 | ||
| 1219 | static int | 1219 | static int |
| 1220 | __do_replace(const char *name, unsigned int valid_hooks, | 1220 | __do_replace(struct net *net, const char *name, unsigned int valid_hooks, |
| 1221 | struct xt_table_info *newinfo, unsigned int num_counters, | 1221 | struct xt_table_info *newinfo, unsigned int num_counters, |
| 1222 | void __user *counters_ptr) | 1222 | void __user *counters_ptr) |
| 1223 | { | 1223 | { |
| @@ -1235,7 +1235,7 @@ __do_replace(const char *name, unsigned int valid_hooks, | |||
| 1235 | goto out; | 1235 | goto out; |
| 1236 | } | 1236 | } |
| 1237 | 1237 | ||
| 1238 | t = try_then_request_module(xt_find_table_lock(&init_net, AF_INET6, name), | 1238 | t = try_then_request_module(xt_find_table_lock(net, AF_INET6, name), |
| 1239 | "ip6table_%s", name); | 1239 | "ip6table_%s", name); |
| 1240 | if (!t || IS_ERR(t)) { | 1240 | if (!t || IS_ERR(t)) { |
| 1241 | ret = t ? PTR_ERR(t) : -ENOENT; | 1241 | ret = t ? PTR_ERR(t) : -ENOENT; |
| @@ -1288,7 +1288,7 @@ __do_replace(const char *name, unsigned int valid_hooks, | |||
| 1288 | } | 1288 | } |
| 1289 | 1289 | ||
| 1290 | static int | 1290 | static int |
| 1291 | do_replace(void __user *user, unsigned int len) | 1291 | do_replace(struct net *net, void __user *user, unsigned int len) |
| 1292 | { | 1292 | { |
| 1293 | int ret; | 1293 | int ret; |
| 1294 | struct ip6t_replace tmp; | 1294 | struct ip6t_replace tmp; |
| @@ -1322,7 +1322,7 @@ do_replace(void __user *user, unsigned int len) | |||
| 1322 | 1322 | ||
| 1323 | duprintf("ip_tables: Translated table\n"); | 1323 | duprintf("ip_tables: Translated table\n"); |
| 1324 | 1324 | ||
| 1325 | ret = __do_replace(tmp.name, tmp.valid_hooks, newinfo, | 1325 | ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo, |
| 1326 | tmp.num_counters, tmp.counters); | 1326 | tmp.num_counters, tmp.counters); |
| 1327 | if (ret) | 1327 | if (ret) |
| 1328 | goto free_newinfo_untrans; | 1328 | goto free_newinfo_untrans; |
| @@ -1358,7 +1358,8 @@ add_counter_to_entry(struct ip6t_entry *e, | |||
| 1358 | } | 1358 | } |
| 1359 | 1359 | ||
| 1360 | static int | 1360 | static int |
| 1361 | do_add_counters(void __user *user, unsigned int len, int compat) | 1361 | do_add_counters(struct net *net, void __user *user, unsigned int len, |
| 1362 | int compat) | ||
| 1362 | { | 1363 | { |
| 1363 | unsigned int i; | 1364 | unsigned int i; |
| 1364 | struct xt_counters_info tmp; | 1365 | struct xt_counters_info tmp; |
| @@ -1410,7 +1411,7 @@ do_add_counters(void __user *user, unsigned int len, int compat) | |||
| 1410 | goto free; | 1411 | goto free; |
| 1411 | } | 1412 | } |
| 1412 | 1413 | ||
| 1413 | t = xt_find_table_lock(&init_net, AF_INET6, name); | 1414 | t = xt_find_table_lock(net, AF_INET6, name); |
| 1414 | if (!t || IS_ERR(t)) { | 1415 | if (!t || IS_ERR(t)) { |
| 1415 | ret = t ? PTR_ERR(t) : -ENOENT; | 1416 | ret = t ? PTR_ERR(t) : -ENOENT; |
| 1416 | goto free; | 1417 | goto free; |
| @@ -1815,7 +1816,7 @@ out_unlock: | |||
| 1815 | } | 1816 | } |
| 1816 | 1817 | ||
| 1817 | static int | 1818 | static int |
| 1818 | compat_do_replace(void __user *user, unsigned int len) | 1819 | compat_do_replace(struct net *net, void __user *user, unsigned int len) |
| 1819 | { | 1820 | { |
| 1820 | int ret; | 1821 | int ret; |
| 1821 | struct compat_ip6t_replace tmp; | 1822 | struct compat_ip6t_replace tmp; |
| @@ -1852,7 +1853,7 @@ compat_do_replace(void __user *user, unsigned int len) | |||
| 1852 | 1853 | ||
| 1853 | duprintf("compat_do_replace: Translated table\n"); | 1854 | duprintf("compat_do_replace: Translated table\n"); |
| 1854 | 1855 | ||
| 1855 | ret = __do_replace(tmp.name, tmp.valid_hooks, newinfo, | 1856 | ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo, |
| 1856 | tmp.num_counters, compat_ptr(tmp.counters)); | 1857 | tmp.num_counters, compat_ptr(tmp.counters)); |
| 1857 | if (ret) | 1858 | if (ret) |
| 1858 | goto free_newinfo_untrans; | 1859 | goto free_newinfo_untrans; |
| @@ -1876,11 +1877,11 @@ compat_do_ip6t_set_ctl(struct sock *sk, int cmd, void __user *user, | |||
| 1876 | 1877 | ||
| 1877 | switch (cmd) { | 1878 | switch (cmd) { |
| 1878 | case IP6T_SO_SET_REPLACE: | 1879 | case IP6T_SO_SET_REPLACE: |
| 1879 | ret = compat_do_replace(user, len); | 1880 | ret = compat_do_replace(sk->sk_net, user, len); |
| 1880 | break; | 1881 | break; |
| 1881 | 1882 | ||
| 1882 | case IP6T_SO_SET_ADD_COUNTERS: | 1883 | case IP6T_SO_SET_ADD_COUNTERS: |
| 1883 | ret = do_add_counters(user, len, 1); | 1884 | ret = do_add_counters(sk->sk_net, user, len, 1); |
| 1884 | break; | 1885 | break; |
| 1885 | 1886 | ||
| 1886 | default: | 1887 | default: |
| @@ -1929,7 +1930,8 @@ compat_copy_entries_to_user(unsigned int total_size, struct xt_table *table, | |||
| 1929 | } | 1930 | } |
| 1930 | 1931 | ||
| 1931 | static int | 1932 | static int |
| 1932 | compat_get_entries(struct compat_ip6t_get_entries __user *uptr, int *len) | 1933 | compat_get_entries(struct net *net, struct compat_ip6t_get_entries __user *uptr, |
| 1934 | int *len) | ||
| 1933 | { | 1935 | { |
| 1934 | int ret; | 1936 | int ret; |
| 1935 | struct compat_ip6t_get_entries get; | 1937 | struct compat_ip6t_get_entries get; |
| @@ -1950,7 +1952,7 @@ compat_get_entries(struct compat_ip6t_get_entries __user *uptr, int *len) | |||
| 1950 | } | 1952 | } |
| 1951 | 1953 | ||
| 1952 | xt_compat_lock(AF_INET6); | 1954 | xt_compat_lock(AF_INET6); |
| 1953 | t = xt_find_table_lock(&init_net, AF_INET6, get.name); | 1955 | t = xt_find_table_lock(net, AF_INET6, get.name); |
| 1954 | if (t && !IS_ERR(t)) { | 1956 | if (t && !IS_ERR(t)) { |
| 1955 | struct xt_table_info *private = t->private; | 1957 | struct xt_table_info *private = t->private; |
| 1956 | struct xt_table_info info; | 1958 | struct xt_table_info info; |
| @@ -1986,10 +1988,10 @@ compat_do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len) | |||
| 1986 | 1988 | ||
| 1987 | switch (cmd) { | 1989 | switch (cmd) { |
| 1988 | case IP6T_SO_GET_INFO: | 1990 | case IP6T_SO_GET_INFO: |
| 1989 | ret = get_info(user, len, 1); | 1991 | ret = get_info(sk->sk_net, user, len, 1); |
| 1990 | break; | 1992 | break; |
| 1991 | case IP6T_SO_GET_ENTRIES: | 1993 | case IP6T_SO_GET_ENTRIES: |
| 1992 | ret = compat_get_entries(user, len); | 1994 | ret = compat_get_entries(sk->sk_net, user, len); |
| 1993 | break; | 1995 | break; |
| 1994 | default: | 1996 | default: |
| 1995 | ret = do_ip6t_get_ctl(sk, cmd, user, len); | 1997 | ret = do_ip6t_get_ctl(sk, cmd, user, len); |
| @@ -2008,11 +2010,11 @@ do_ip6t_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len) | |||
| 2008 | 2010 | ||
| 2009 | switch (cmd) { | 2011 | switch (cmd) { |
| 2010 | case IP6T_SO_SET_REPLACE: | 2012 | case IP6T_SO_SET_REPLACE: |
| 2011 | ret = do_replace(user, len); | 2013 | ret = do_replace(sk->sk_net, user, len); |
| 2012 | break; | 2014 | break; |
| 2013 | 2015 | ||
| 2014 | case IP6T_SO_SET_ADD_COUNTERS: | 2016 | case IP6T_SO_SET_ADD_COUNTERS: |
| 2015 | ret = do_add_counters(user, len, 0); | 2017 | ret = do_add_counters(sk->sk_net, user, len, 0); |
| 2016 | break; | 2018 | break; |
| 2017 | 2019 | ||
| 2018 | default: | 2020 | default: |
| @@ -2033,11 +2035,11 @@ do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len) | |||
| 2033 | 2035 | ||
| 2034 | switch (cmd) { | 2036 | switch (cmd) { |
| 2035 | case IP6T_SO_GET_INFO: | 2037 | case IP6T_SO_GET_INFO: |
| 2036 | ret = get_info(user, len, 0); | 2038 | ret = get_info(sk->sk_net, user, len, 0); |
| 2037 | break; | 2039 | break; |
| 2038 | 2040 | ||
| 2039 | case IP6T_SO_GET_ENTRIES: | 2041 | case IP6T_SO_GET_ENTRIES: |
| 2040 | ret = get_entries(user, len); | 2042 | ret = get_entries(sk->sk_net, user, len); |
| 2041 | break; | 2043 | break; |
| 2042 | 2044 | ||
| 2043 | case IP6T_SO_GET_REVISION_MATCH: | 2045 | case IP6T_SO_GET_REVISION_MATCH: |
| @@ -2074,7 +2076,8 @@ do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len) | |||
| 2074 | return ret; | 2076 | return ret; |
| 2075 | } | 2077 | } |
| 2076 | 2078 | ||
| 2077 | struct xt_table *ip6t_register_table(struct xt_table *table, const struct ip6t_replace *repl) | 2079 | struct xt_table *ip6t_register_table(struct net *net, struct xt_table *table, |
| 2080 | const struct ip6t_replace *repl) | ||
| 2078 | { | 2081 | { |
| 2079 | int ret; | 2082 | int ret; |
| 2080 | struct xt_table_info *newinfo; | 2083 | struct xt_table_info *newinfo; |
| @@ -2101,7 +2104,7 @@ struct xt_table *ip6t_register_table(struct xt_table *table, const struct ip6t_r | |||
| 2101 | if (ret != 0) | 2104 | if (ret != 0) |
| 2102 | goto out_free; | 2105 | goto out_free; |
| 2103 | 2106 | ||
| 2104 | new_table = xt_register_table(&init_net, table, &bootstrap, newinfo); | 2107 | new_table = xt_register_table(net, table, &bootstrap, newinfo); |
| 2105 | if (IS_ERR(new_table)) { | 2108 | if (IS_ERR(new_table)) { |
| 2106 | ret = PTR_ERR(new_table); | 2109 | ret = PTR_ERR(new_table); |
| 2107 | goto out_free; | 2110 | goto out_free; |
diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c index bffd67f32359..d0bf71d40cc5 100644 --- a/net/ipv6/netfilter/ip6table_filter.c +++ b/net/ipv6/netfilter/ip6table_filter.c | |||
| @@ -132,7 +132,7 @@ static int __init ip6table_filter_init(void) | |||
| 132 | initial_table.entries[1].target.verdict = -forward - 1; | 132 | initial_table.entries[1].target.verdict = -forward - 1; |
| 133 | 133 | ||
| 134 | /* Register table */ | 134 | /* Register table */ |
| 135 | packet_filter = ip6t_register_table(&__packet_filter, &initial_table.repl); | 135 | packet_filter = ip6t_register_table(&init_net, &__packet_filter, &initial_table.repl); |
| 136 | if (IS_ERR(packet_filter)) | 136 | if (IS_ERR(packet_filter)) |
| 137 | return PTR_ERR(packet_filter); | 137 | return PTR_ERR(packet_filter); |
| 138 | 138 | ||
diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c index 63d334df3b40..abdfece4ab82 100644 --- a/net/ipv6/netfilter/ip6table_mangle.c +++ b/net/ipv6/netfilter/ip6table_mangle.c | |||
| @@ -164,7 +164,7 @@ static int __init ip6table_mangle_init(void) | |||
| 164 | int ret; | 164 | int ret; |
| 165 | 165 | ||
| 166 | /* Register table */ | 166 | /* Register table */ |
| 167 | packet_mangler = ip6t_register_table(&__packet_mangler, &initial_table.repl); | 167 | packet_mangler = ip6t_register_table(&init_net, &__packet_mangler, &initial_table.repl); |
| 168 | if (IS_ERR(packet_mangler)) | 168 | if (IS_ERR(packet_mangler)) |
| 169 | return PTR_ERR(packet_mangler); | 169 | return PTR_ERR(packet_mangler); |
| 170 | 170 | ||
diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c index 7f55b236440e..12acd6300903 100644 --- a/net/ipv6/netfilter/ip6table_raw.c +++ b/net/ipv6/netfilter/ip6table_raw.c | |||
| @@ -77,7 +77,7 @@ static int __init ip6table_raw_init(void) | |||
| 77 | int ret; | 77 | int ret; |
| 78 | 78 | ||
| 79 | /* Register table */ | 79 | /* Register table */ |
| 80 | packet_raw = ip6t_register_table(&__packet_raw, &initial_table.repl); | 80 | packet_raw = ip6t_register_table(&init_net, &__packet_raw, &initial_table.repl); |
| 81 | if (IS_ERR(packet_raw)) | 81 | if (IS_ERR(packet_raw)) |
| 82 | return PTR_ERR(packet_raw); | 82 | return PTR_ERR(packet_raw); |
| 83 | 83 | ||