Previous attempts failed because iptable_nat_ipv4_in() uses do_chain()==iptable_nat_do_chain() and not nft_nat_do_chain() and in particular its ops->priv is not set.
Thus we have to distinguish iptables and nft cases and perform netns checks only in "nft" case (iptables does this checks in completely another way, it just stores chains per-net already unlike nft). Options to fix this: 1) in nf_nat_ipv{4,6}_fn() compare do_chain() arg with nft_nat_do_chain() and perform the check for proper netns if needed. 2) introduce new return code for nft_do_chain() and check it in nf_nat_ipv{4,6}_fn(). The following patch implements the second way. Konstantin Khorenko (1): net/netfilter: handle case when nft_do_chain() is called for wrong netns include/uapi/linux/netfilter.h | 4 ++++ net/ipv4/netfilter/nf_nat_l3proto_ipv4.c | 2 ++ net/ipv6/netfilter/nf_nat_l3proto_ipv6.c | 2 ++ net/netfilter/nf_tables_core.c | 2 +- 4 files changed, 9 insertions(+), 1 deletion(-) -- 2.15.1 _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel