Previous attempts failed because iptable_nat_ipv4_in() uses
do_chain()==iptable_nat_do_chain() and not nft_nat_do_chain() and in
particular its ops->priv is not set.
Thus we have to distinguish iptables and nft cases and perform netns
checks only in "nft" case (iptables does this checks in completely
another way, it just stores chains per-net already unlike nft).
Options to fix this:
1) in nf_nat_ipv{4,6}_fn() compare do_chain() arg with
nft_nat_do_chain() and perform the check for proper netns if needed.
2) introduce new return code for nft_do_chain() and check it in
nf_nat_ipv{4,6}_fn().
The following patch implements the second way.
Konstantin Khorenko (1):
net/netfilter: handle case when nft_do_chain() is called for wrong
netns
include/uapi/linux/netfilter.h | 4 ++++
net/ipv4/netfilter/nf_nat_l3proto_ipv4.c | 2 ++
net/ipv6/netfilter/nf_nat_l3proto_ipv6.c | 2 ++
net/netfilter/nf_tables_core.c | 2 +-
4 files changed, 9 insertions(+), 1 deletion(-)
--
2.15.1
_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel
