[NETNS]: Drop packets in the non-initial namespace on the per/protocol basis.

IP layer now can handle multiple namespaces normally. So, process such packets normally and drop them only if the transport layer is not aware about namespaces. Signed-off-by: Denis V. Lunev <den@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>

[NETNS]: Drop packets in the non-initial namespace on the per/protocol basis.
IP layer now can handle multiple namespaces normally. So, process such packets normally and drop them only if the transport layer is not aware about namespaces. Signed-off-by: Denis V. Lunev <den@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Denis V. Lunev · David S. Miller
1 parent 0be43f82c4
Showing 2 changed files with 6 additions and 5 deletions Side-by-side Diff
include/net/protocol.h
net/ipv4/ip_input.c
@@ -39,7 +39,8 @@
 	int			(*gso_send_check)(struct sk_buff *skb);
 	struct sk_buff	       *(*gso_segment)(struct sk_buff *skb,
 					       int features);
-	int			no_policy;
+	unsigned int		no_policy:1,
+				netns_ok:1;
 };
  
 #if defined(CONFIG_IPV6) || defined (CONFIG_IPV6_MODULE)
@@ -199,6 +199,8 @@
  
 static int ip_local_deliver_finish(struct sk_buff *skb)
 {
+	struct net *net = skb->dev->nd_net;
+
 	__skb_pull(skb, ip_hdrlen(skb));
  
 	/* Point into the IP datagram, just past the header. */
@@ -214,7 +216,8 @@
 		raw = raw_local_deliver(skb, protocol);
  
 		hash = protocol & (MAX_INET_PROTOS - 1);
-		if ((ipprot = rcu_dereference(inet_protos[hash])) != NULL) {
+		ipprot = rcu_dereference(inet_protos[hash]);
+		if (ipprot != NULL && (net == &init_net || ipprot->netns_ok)) {
 			int ret;
  
 			if (!ipprot->no_policy) {
@@ -374,9 +377,6 @@
 {
 	struct iphdr *iph;
 	u32 len;
-
-	if (dev->nd_net != &init_net)
-		goto drop;
  
 	/* When the interface is in promisc. mode, drop all the crap
 	 * that it receives, do not try to analyse it.
...	...	@@ -39,7 +39,8 @@
39	39	int (gso_send_check)(struct sk_buff skb);
40	40	struct sk_buff (gso_segment)(struct sk_buff *skb,
41	41	int features);
42		- int no_policy;
	42	+ unsigned int no_policy:1,
	43	+ netns_ok:1;
43	44	};
44	45
45	46	#if defined(CONFIG_IPV6) \|\| defined (CONFIG_IPV6_MODULE)
...	...	@@ -199,6 +199,8 @@
199	199
200	200	static int ip_local_deliver_finish(struct sk_buff *skb)
201	201	{
	202	+ struct net *net = skb->dev->nd_net;
	203	+
202	204	__skb_pull(skb, ip_hdrlen(skb));
203	205
204	206	/* Point into the IP datagram, just past the header. */
...	...	@@ -214,7 +216,8 @@
214	216	raw = raw_local_deliver(skb, protocol);
215	217
216	218	hash = protocol & (MAX_INET_PROTOS - 1);
217		- if ((ipprot = rcu_dereference(inet_protos[hash])) != NULL) {
	219	+ ipprot = rcu_dereference(inet_protos[hash]);
	220	+ if (ipprot != NULL && (net == &init_net \|\| ipprot->netns_ok)) {
218	221	int ret;
219	222
220	223	if (!ipprot->no_policy) {
...	...	@@ -374,9 +377,6 @@
374	377	{
375	378	struct iphdr *iph;
376	379	u32 len;
377		-
378		- if (dev->nd_net != &init_net)
379		- goto drop;
380	380
381	381	/* When the interface is in promisc. mode, drop all the crap
382	382	* that it receives, do not try to analyse it.