netfilter: check if the socket netns is correct.

+2 -1

include/net/netfilter/nf_log.h

··· 106 106 int nf_log_dump_tcp_header(struct nf_log_buf *m, const struct sk_buff *skb, 107 107 u8 proto, int fragment, unsigned int offset, 108 108 unsigned int logflags); 109 - void nf_log_dump_sk_uid_gid(struct nf_log_buf *m, struct sock *sk); 109 + void nf_log_dump_sk_uid_gid(struct net *net, struct nf_log_buf *m, 110 + struct sock *sk); 110 111 void nf_log_dump_packet_common(struct nf_log_buf *m, u_int8_t pf, 111 112 unsigned int hooknum, const struct sk_buff *skb, 112 113 const struct net_device *in,

+4 -4

net/ipv4/netfilter/nf_log_ipv4.c

··· 35 35 }; 36 36 37 37 /* One level of recursion won't kill us */ 38 - static void dump_ipv4_packet(struct nf_log_buf *m, 38 + static void dump_ipv4_packet(struct net *net, struct nf_log_buf *m, 39 39 const struct nf_loginfo *info, 40 40 const struct sk_buff *skb, unsigned int iphoff) 41 41 { ··· 183 183 /* Max length: 3+maxlen */ 184 184 if (!iphoff) { /* Only recurse once. */ 185 185 nf_log_buf_add(m, "["); 186 - dump_ipv4_packet(m, info, skb, 186 + dump_ipv4_packet(net, m, info, skb, 187 187 iphoff + ih->ihl*4+sizeof(_icmph)); 188 188 nf_log_buf_add(m, "] "); 189 189 } ··· 251 251 252 252 /* Max length: 15 "UID=4294967295 " */ 253 253 if ((logflags & NF_LOG_UID) && !iphoff) 254 - nf_log_dump_sk_uid_gid(m, skb->sk); 254 + nf_log_dump_sk_uid_gid(net, m, skb->sk); 255 255 256 256 /* Max length: 16 "MARK=0xFFFFFFFF " */ 257 257 if (!iphoff && skb->mark) ··· 333 333 if (in != NULL) 334 334 dump_ipv4_mac_header(m, loginfo, skb); 335 335 336 - dump_ipv4_packet(m, loginfo, skb, 0); 336 + dump_ipv4_packet(net, m, loginfo, skb, 0); 337 337 338 338 nf_log_buf_close(m); 339 339 }

+4 -4

net/ipv6/netfilter/nf_log_ipv6.c

··· 36 36 }; 37 37 38 38 /* One level of recursion won't kill us */ 39 - static void dump_ipv6_packet(struct nf_log_buf *m, 39 + static void dump_ipv6_packet(struct net *net, struct nf_log_buf *m, 40 40 const struct nf_loginfo *info, 41 41 const struct sk_buff *skb, unsigned int ip6hoff, 42 42 int recurse) ··· 258 258 /* Max length: 3+maxlen */ 259 259 if (recurse) { 260 260 nf_log_buf_add(m, "["); 261 - dump_ipv6_packet(m, info, skb, 261 + dump_ipv6_packet(net, m, info, skb, 262 262 ptr + sizeof(_icmp6h), 0); 263 263 nf_log_buf_add(m, "] "); 264 264 } ··· 278 278 279 279 /* Max length: 15 "UID=4294967295 " */ 280 280 if ((logflags & NF_LOG_UID) && recurse) 281 - nf_log_dump_sk_uid_gid(m, skb->sk); 281 + nf_log_dump_sk_uid_gid(net, m, skb->sk); 282 282 283 283 /* Max length: 16 "MARK=0xFFFFFFFF " */ 284 284 if (recurse && skb->mark) ··· 365 365 if (in != NULL) 366 366 dump_ipv6_mac_header(m, loginfo, skb); 367 367 368 - dump_ipv6_packet(m, loginfo, skb, skb_network_offset(skb), 1); 368 + dump_ipv6_packet(net, m, loginfo, skb, skb_network_offset(skb), 1); 369 369 370 370 nf_log_buf_close(m); 371 371 }

+1 -1

net/netfilter/nf_conntrack_broadcast.c

··· 32 32 __be32 mask = 0; 33 33 34 34 /* we're only interested in locally generated packets */ 35 - if (skb->sk == NULL) 35 + if (skb->sk == NULL || !net_eq(nf_ct_net(ct), sock_net(skb->sk))) 36 36 goto out; 37 37 if (rt == NULL || !(rt->rt_flags & RTCF_BROADCAST)) 38 38 goto out;

+3 -2

net/netfilter/nf_log_common.c

··· 132 132 } 133 133 EXPORT_SYMBOL_GPL(nf_log_dump_tcp_header); 134 134 135 - void nf_log_dump_sk_uid_gid(struct nf_log_buf *m, struct sock *sk) 135 + void nf_log_dump_sk_uid_gid(struct net *net, struct nf_log_buf *m, 136 + struct sock *sk) 136 137 { 137 - if (!sk || !sk_fullsock(sk)) 138 + if (!sk || !sk_fullsock(sk) || !net_eq(net, sock_net(sk))) 138 139 return; 139 140 140 141 read_lock_bh(&sk->sk_callback_lock);

+5 -1

net/netfilter/nf_nat_core.c

··· 108 108 struct flowi fl; 109 109 unsigned int hh_len; 110 110 struct dst_entry *dst; 111 + struct sock *sk = skb->sk; 111 112 int err; 112 113 113 114 err = xfrm_decode_session(skb, &fl, family); ··· 120 119 dst = ((struct xfrm_dst *)dst)->route; 121 120 dst_hold(dst); 122 121 123 - dst = xfrm_lookup(net, dst, &fl, skb->sk, 0); 122 + if (sk && !net_eq(net, sock_net(sk))) 123 + sk = NULL; 124 + 125 + dst = xfrm_lookup(net, dst, &fl, sk, 0); 124 126 if (IS_ERR(dst)) 125 127 return PTR_ERR(dst); 126 128

+6 -3

net/netfilter/nft_meta.c

··· 107 107 break; 108 108 case NFT_META_SKUID: 109 109 sk = skb_to_full_sk(skb); 110 - if (!sk || !sk_fullsock(sk)) 110 + if (!sk || !sk_fullsock(sk) || 111 + !net_eq(nft_net(pkt), sock_net(sk))) 111 112 goto err; 112 113 113 114 read_lock_bh(&sk->sk_callback_lock); ··· 124 123 break; 125 124 case NFT_META_SKGID: 126 125 sk = skb_to_full_sk(skb); 127 - if (!sk || !sk_fullsock(sk)) 126 + if (!sk || !sk_fullsock(sk) || 127 + !net_eq(nft_net(pkt), sock_net(sk))) 128 128 goto err; 129 129 130 130 read_lock_bh(&sk->sk_callback_lock); ··· 216 214 #ifdef CONFIG_CGROUP_NET_CLASSID 217 215 case NFT_META_CGROUP: 218 216 sk = skb_to_full_sk(skb); 219 - if (!sk || !sk_fullsock(sk)) 217 + if (!sk || !sk_fullsock(sk) || 218 + !net_eq(nft_net(pkt), sock_net(sk))) 220 219 goto err; 221 220 *dest = sock_cgroup_classid(&sk->sk_cgrp_data); 222 221 break;

+4 -1

net/netfilter/nft_socket.c

··· 23 23 struct sock *sk = skb->sk; 24 24 u32 *dest = &regs->data[priv->dreg]; 25 25 26 + if (sk && !net_eq(nft_net(pkt), sock_net(sk))) 27 + sk = NULL; 28 + 26 29 if (!sk) 27 30 switch(nft_pf(pkt)) { 28 31 case NFPROTO_IPV4: ··· 42 39 return; 43 40 } 44 41 45 - if(!sk) { 42 + if (!sk) { 46 43 nft_reg_store8(dest, 0); 47 44 return; 48 45 }

+4 -2

net/netfilter/xt_cgroup.c

··· 72 72 cgroup_mt_v0(const struct sk_buff *skb, struct xt_action_param *par) 73 73 { 74 74 const struct xt_cgroup_info_v0 *info = par->matchinfo; 75 + struct sock *sk = skb->sk; 75 76 76 - if (skb->sk == NULL || !sk_fullsock(skb->sk)) 77 + if (!sk || !sk_fullsock(sk) || !net_eq(xt_net(par), sock_net(sk))) 77 78 return false; 78 79 79 80 return (info->id == sock_cgroup_classid(&skb->sk->sk_cgrp_data)) ^ ··· 86 85 const struct xt_cgroup_info_v1 *info = par->matchinfo; 87 86 struct sock_cgroup_data *skcd = &skb->sk->sk_cgrp_data; 88 87 struct cgroup *ancestor = info->priv; 88 + struct sock *sk = skb->sk; 89 89 90 - if (!skb->sk || !sk_fullsock(skb->sk)) 90 + if (!sk || !sk_fullsock(sk) || !net_eq(xt_net(par), sock_net(sk))) 91 91 return false; 92 92 93 93 if (ancestor)

+1 -1

net/netfilter/xt_owner.c

··· 67 67 struct sock *sk = skb_to_full_sk(skb); 68 68 struct net *net = xt_net(par); 69 69 70 - if (sk == NULL || sk->sk_socket == NULL) 70 + if (!sk || !sk->sk_socket || !net_eq(net, sock_net(sk))) 71 71 return (info->match ^ info->invert) == 0; 72 72 else if (info->match & info->invert & XT_OWNER_SOCKET) 73 73 /*

+2 -1

net/netfilter/xt_recent.c

··· 265 265 } 266 266 267 267 /* use TTL as seen before forwarding */ 268 - if (xt_out(par) != NULL && skb->sk == NULL) 268 + if (xt_out(par) != NULL && 269 + (!skb->sk || !net_eq(net, sock_net(skb->sk)))) 269 270 ttl++; 270 271 271 272 spin_lock_bh(&recent_lock);

+8

net/netfilter/xt_socket.c

··· 56 56 struct sk_buff *pskb = (struct sk_buff *)skb; 57 57 struct sock *sk = skb->sk; 58 58 59 + if (!net_eq(xt_net(par), sock_net(sk))) 60 + sk = NULL; 61 + 59 62 if (!sk) 60 63 sk = nf_sk_lookup_slow_v4(xt_net(par), skb, xt_in(par)); 64 + 61 65 if (sk) { 62 66 bool wildcard; 63 67 bool transparent = true; ··· 117 113 struct sk_buff *pskb = (struct sk_buff *)skb; 118 114 struct sock *sk = skb->sk; 119 115 116 + if (!net_eq(xt_net(par), sock_net(sk))) 117 + sk = NULL; 118 + 120 119 if (!sk) 121 120 sk = nf_sk_lookup_slow_v6(xt_net(par), skb, xt_in(par)); 121 + 122 122 if (sk) { 123 123 bool wildcard; 124 124 bool transparent = true;