netfilter: ip6table_filter in netns for real
authorAlexey Dobriyan <adobriyan@gmail.com>
Tue, 8 Jul 2008 09:36:18 +0000 (02:36 -0700)
committerDavid S. Miller <davem@davemloft.net>
Tue, 8 Jul 2008 09:36:18 +0000 (02:36 -0700)
One still needs to remove checks in nf_hook_slow() and nf_sockopt_find()
to test this, though.

Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv6/netfilter/ip6table_filter.c

index f979e48b469b8f308183f0388ff5e7a9f60c603d..55a2c290bad4e8d07cc1b3f43c90f5136c916e18 100644 (file)
@@ -61,13 +61,25 @@ static struct xt_table packet_filter = {
 
 /* The work comes in here from netfilter.c. */
 static unsigned int
-ip6t_hook(unsigned int hook,
-        struct sk_buff *skb,
-        const struct net_device *in,
-        const struct net_device *out,
-        int (*okfn)(struct sk_buff *))
+ip6t_local_in_hook(unsigned int hook,
+                  struct sk_buff *skb,
+                  const struct net_device *in,
+                  const struct net_device *out,
+                  int (*okfn)(struct sk_buff *))
+{
+       return ip6t_do_table(skb, hook, in, out,
+                            nf_local_in_net(in, out)->ipv6.ip6table_filter);
+}
+
+static unsigned int
+ip6t_forward_hook(unsigned int hook,
+                 struct sk_buff *skb,
+                 const struct net_device *in,
+                 const struct net_device *out,
+                 int (*okfn)(struct sk_buff *))
 {
-       return ip6t_do_table(skb, hook, in, out, init_net.ipv6.ip6table_filter);
+       return ip6t_do_table(skb, hook, in, out,
+                            nf_forward_net(in, out)->ipv6.ip6table_filter);
 }
 
 static unsigned int
@@ -87,19 +99,20 @@ ip6t_local_out_hook(unsigned int hook,
        }
 #endif
 
-       return ip6t_do_table(skb, hook, in, out, init_net.ipv6.ip6table_filter);
+       return ip6t_do_table(skb, hook, in, out,
+                            nf_local_out_net(in, out)->ipv6.ip6table_filter);
 }
 
 static struct nf_hook_ops ip6t_ops[] __read_mostly = {
        {
-               .hook           = ip6t_hook,
+               .hook           = ip6t_local_in_hook,
                .owner          = THIS_MODULE,
                .pf             = PF_INET6,
                .hooknum        = NF_INET_LOCAL_IN,
                .priority       = NF_IP6_PRI_FILTER,
        },
        {
-               .hook           = ip6t_hook,
+               .hook           = ip6t_forward_hook,
                .owner          = THIS_MODULE,
                .pf             = PF_INET6,
                .hooknum        = NF_INET_FORWARD,