From: Denis V. Lunev Date: Mon, 24 Mar 2008 22:33:00 +0000 (-0700) Subject: [NETNS]: Drop packets in the non-initial namespace on the per/protocol basis. X-Git-Tag: firefly_0821_release~21615^2~363 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=f145049a06f470d0489f47cb83ff3ccb2a0de622;p=firefly-linux-kernel-4.4.55.git [NETNS]: Drop packets in the non-initial namespace on the per/protocol basis. IP layer now can handle multiple namespaces normally. So, process such packets normally and drop them only if the transport layer is not aware about namespaces. Signed-off-by: Denis V. Lunev Signed-off-by: David S. Miller --- diff --git a/include/net/protocol.h b/include/net/protocol.h index ad8c584233a6..8d024d7cb741 100644 --- a/include/net/protocol.h +++ b/include/net/protocol.h @@ -39,7 +39,8 @@ struct net_protocol { int (*gso_send_check)(struct sk_buff *skb); struct sk_buff *(*gso_segment)(struct sk_buff *skb, int features); - int no_policy; + unsigned int no_policy:1, + netns_ok:1; }; #if defined(CONFIG_IPV6) || defined (CONFIG_IPV6_MODULE) diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c index eb1fa27dc0c4..2aeea5d15425 100644 --- a/net/ipv4/ip_input.c +++ b/net/ipv4/ip_input.c @@ -199,6 +199,8 @@ int ip_call_ra_chain(struct sk_buff *skb) static int ip_local_deliver_finish(struct sk_buff *skb) { + struct net *net = skb->dev->nd_net; + __skb_pull(skb, ip_hdrlen(skb)); /* Point into the IP datagram, just past the header. */ @@ -214,7 +216,8 @@ static int ip_local_deliver_finish(struct sk_buff *skb) raw = raw_local_deliver(skb, protocol); hash = protocol & (MAX_INET_PROTOS - 1); - if ((ipprot = rcu_dereference(inet_protos[hash])) != NULL) { + ipprot = rcu_dereference(inet_protos[hash]); + if (ipprot != NULL && (net == &init_net || ipprot->netns_ok)) { int ret; if (!ipprot->no_policy) { @@ -375,9 +378,6 @@ int ip_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt, struct iphdr *iph; u32 len; - if (dev->nd_net != &init_net) - goto drop; - /* When the interface is in promisc. mode, drop all the crap * that it receives, do not try to analyse it. */