Commit e77e6ff502ea3d193872b5b9033bfd9717b36447
Committed by
Pablo Neira Ayuso
Pablo Neira Ayuso
1 parent
a1560dd7a4
netfilter: conntrack: do not dump other netns's conntrack entries via proc
We should skip the conntracks that belong to a different namespace, otherwise other unrelated netns's conntrack entries will be dumped via /proc/net/nf_conntrack. Fixes: 56d52d4892d0 ("netfilter: conntrack: use a single hashtable for all namespaces") Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Reviewed-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Showing 1 changed file with 4 additions and 0 deletions Side-by-side Diff
net/netfilter/nf_conntrack_standalone.c
| ... | ... | @@ -205,6 +205,7 @@ |
| 205 | 205 | struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(hash); |
| 206 | 206 | const struct nf_conntrack_l3proto *l3proto; |
| 207 | 207 | const struct nf_conntrack_l4proto *l4proto; |
| 208 | + struct net *net = seq_file_net(s); | |
| 208 | 209 | int ret = 0; |
| 209 | 210 | |
| 210 | 211 | NF_CT_ASSERT(ct); |
| ... | ... | @@ -213,6 +214,9 @@ |
| 213 | 214 | |
| 214 | 215 | /* we only want to print DIR_ORIGINAL */ |
| 215 | 216 | if (NF_CT_DIRECTION(hash)) |
| 217 | + goto release; | |
| 218 | + | |
| 219 | + if (!net_eq(nf_ct_net(ct), net)) | |
| 216 | 220 | goto release; |
| 217 | 221 | |
| 218 | 222 | l3proto = __nf_ct_l3proto_find(nf_ct_l3num(ct)); |