OpenVZ Forum


Home » Mailing lists » Devel » [PATCH 0/11 net-2.6.26] UDP/ICMP/TCP for a namespace
[PATCH 8/11 net-2.6.26] [NETNS]: Process netfilter hooks in initial namespace only. [message #28568 is a reply to message #28566] Mon, 24 March 2008 14:36 Go to previous messageGo to previous message
den is currently offline  den
Messages: 494
Registered: December 2005
Senior Member
There were no packets in the namespace other than initial previously. This
will be changed in the neareast future. Netfilters are not namespace aware
and should be processed in the initial namespace only for now.

Signed-off-by: Denis V. Lunev <den@openvz.org>
CC: Patrick McHardy <kaber@trash.net>
---
 net/netfilter/core.c |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)

diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index c4065b8..ec05684 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -165,6 +165,14 @@ int nf_hook_slow(int pf, unsigned int hook, struct sk_buff *skb,
 	unsigned int verdict;
 	int ret = 0;
 
+#ifdef CONFIG_NET_NS
+	struct net *net;
+
+	net = indev == NULL ? outdev->nd_net : indev->nd_net;
+	if (net != &init_net)
+		return 1;
+#endif
+
 	/* We may already have this, but read-locks nest anyway */
 	rcu_read_lock();
 
-- 
1.5.3.rc5
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: [PATCH net-2.6.26 5/5][NETNS]: Minor information leak via /proc/net/ptype file.
Next Topic: [PATCH] fix spurious EBUSY on memory cgroup removal
Goto Forum:
  


Current Time: Fri Oct 24 18:46:15 GMT 2025

Total time taken to generate the page: 0.15149 seconds