diff options
| -rw-r--r-- | net/netfilter/nfnetlink.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c index 027f16af51a0..046aa13b4fea 100644 --- a/net/netfilter/nfnetlink.c +++ b/net/netfilter/nfnetlink.c | |||
| @@ -363,13 +363,15 @@ static void nfnetlink_rcv(struct sk_buff *skb) | |||
| 363 | struct net *net = sock_net(skb->sk); | 363 | struct net *net = sock_net(skb->sk); |
| 364 | int msglen; | 364 | int msglen; |
| 365 | 365 | ||
| 366 | if (!ns_capable(net->user_ns, CAP_NET_ADMIN)) | ||
| 367 | return netlink_ack(skb, nlh, -EPERM); | ||
| 368 | |||
| 369 | if (nlh->nlmsg_len < NLMSG_HDRLEN || | 366 | if (nlh->nlmsg_len < NLMSG_HDRLEN || |
| 370 | skb->len < nlh->nlmsg_len) | 367 | skb->len < nlh->nlmsg_len) |
| 371 | return; | 368 | return; |
| 372 | 369 | ||
| 370 | if (!ns_capable(net->user_ns, CAP_NET_ADMIN)) { | ||
| 371 | netlink_ack(skb, nlh, -EPERM); | ||
| 372 | return; | ||
| 373 | } | ||
| 374 | |||
| 373 | if (nlh->nlmsg_type == NFNL_MSG_BATCH_BEGIN) { | 375 | if (nlh->nlmsg_type == NFNL_MSG_BATCH_BEGIN) { |
| 374 | struct nfgenmsg *nfgenmsg; | 376 | struct nfgenmsg *nfgenmsg; |
| 375 | 377 | ||