netfilter: nf_log_syslog: Consolidate entry checks

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Every syslog logging callback has to perform the same check to cover for
rogue containers, introduce a helper for clarity. Drop the FIXME as
there is a viable solution since commit 2851940ffee31 ("netfilter: allow
logging from non-init namespaces").

Suggested-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

authored by

Phil Sutter and committed by

Pablo Neira Ayuso 4 years ago c3e34866 0c878380

+10 -8

1 changed file

expand all

net

netfilter

nf_log_syslog.c

+10 -8

net/netfilter/nf_log_syslog.c

··· 40 40 unsigned char ip_dst[4]; 41 41 }; 42 42 43 + /* Guard against containers flooding syslog. */ 44 + static bool nf_log_allowed(const struct net *net) 45 + { 46 + return net_eq(net, &init_net) || sysctl_nf_log_all_netns; 47 + } 48 + 43 49 static void nf_log_dump_vlan(struct nf_log_buf *m, const struct sk_buff *skb) 44 50 { 45 51 u16 vid; ··· 139 133 { 140 134 struct nf_log_buf *m; 141 135 142 - /* FIXME: Disabled from containers until syslog ns is supported */ 143 - if (!net_eq(net, &init_net) && !sysctl_nf_log_all_netns) 136 + if (!nf_log_allowed(net)) 144 137 return; 145 138 146 139 m = nf_log_buf_open(); ··· 836 831 { 837 832 struct nf_log_buf *m; 838 833 839 - /* FIXME: Disabled from containers until syslog ns is supported */ 840 - if (!net_eq(net, &init_net) && !sysctl_nf_log_all_netns) 834 + if (!nf_log_allowed(net)) 841 835 return; 842 836 843 837 m = nf_log_buf_open(); ··· 871 867 { 872 868 struct nf_log_buf *m; 873 869 874 - /* FIXME: Disabled from containers until syslog ns is supported */ 875 - if (!net_eq(net, &init_net) && !sysctl_nf_log_all_netns) 870 + if (!nf_log_allowed(net)) 876 871 return; 877 872 878 873 m = nf_log_buf_open(); ··· 907 904 { 908 905 struct nf_log_buf *m; 909 906 910 - /* FIXME: Disabled from containers until syslog ns is supported */ 911 - if (!net_eq(net, &init_net) && !sysctl_nf_log_all_netns) 907 + if (!nf_log_allowed(net)) 912 908 return; 913 909 914 910 m = nf_log_buf_open();