tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

netfilter: ipt_CLUSTERIP: use proper net namespace to operate CLUSTERIP

we can allow users in uninit net namespace to operate ipt_CLUSTERIP
now.

Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

authored by

Gao feng and committed by
Pablo Neira Ayuso d86946d2 f58d7866

+6 -4
+6 -4
net/ipv4/netfilter/ipt_CLUSTERIP.c
··· 99 99 static inline void 100 100 clusterip_config_entry_put(struct clusterip_config *c) 101 101 { 102 - struct clusterip_net *cn = net_generic(&init_net, clusterip_net_id); 102 + struct net *net = dev_net(c->dev); 103 + struct clusterip_net *cn = net_generic(net, clusterip_net_id); 103 104 104 105 local_bh_disable(); 105 106 if (atomic_dec_and_lock(&c->entries, &cn->lock)) { ··· 382 381 383 382 /* FIXME: further sanity checks */ 384 383 385 - config = clusterip_config_find_get(&init_net, e->ip.dst.s_addr, 1); 384 + config = clusterip_config_find_get(par->net, e->ip.dst.s_addr, 1); 386 385 if (!config) { 387 386 if (!(cipinfo->flags & CLUSTERIP_FLAG_NEW)) { 388 387 pr_info("no config found for %pI4, need 'new'\n", ··· 396 395 return -EINVAL; 397 396 } 398 397 399 - dev = dev_get_by_name(&init_net, e->ip.iniface); 398 + dev = dev_get_by_name(par->net, e->ip.iniface); 400 399 if (!dev) { 401 400 pr_info("no such interface %s\n", 402 401 e->ip.iniface); ··· 504 503 struct arphdr *arp = arp_hdr(skb); 505 504 struct arp_payload *payload; 506 505 struct clusterip_config *c; 506 + struct net *net = dev_net(in ? in : out); 507 507 508 508 /* we don't care about non-ethernet and non-ipv4 ARP */ 509 509 if (arp->ar_hrd != htons(ARPHRD_ETHER) || ··· 521 519 522 520 /* if there is no clusterip configuration for the arp reply's 523 521 * source ip, we don't want to mangle it */ 524 - c = clusterip_config_find_get(&init_net, payload->src_ip, 0); 522 + c = clusterip_config_find_get(net, payload->src_ip, 0); 525 523 if (!c) 526 524 return NF_ACCEPT; 527 525