ipv4: Disallow non-namespace aware protocols to register.

All in-tree ipv4 protocol implementations are now namespace
aware.  Therefore all the run-time checks are superfluous.

Reject registry of any non-namespace aware ipv4 protocol.
Eventually we'll remove prot->netns_ok and this registry
time check as well.

Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index 49ddca31c4daf4ac50923d540901b99f33a29f0e..1aec92bf80189aad7bb940502c3d7a77b5978738 100644 (file)
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -263,21 +263,6 @@ void build_ehash_secret(void)
 }
 EXPORT_SYMBOL(build_ehash_secret);
 
-static inline int inet_netns_ok(struct net *net, __u8 protocol)
-{
-       const struct net_protocol *ipprot;
-
-       if (net_eq(net, &init_net))
-               return 1;
-
-       ipprot = rcu_dereference(inet_protos[protocol]);
-       if (ipprot == NULL) {
-               /* raw IP is OK */
-               return 1;
-       }
-       return ipprot->netns_ok;
-}
-
 /*
  *     Create an inet socket.
  */
@@ -350,10 +335,6 @@ lookup_protocol:
            !ns_capable(net->user_ns, CAP_NET_RAW))
                goto out_rcu_unlock;
 
-       err = -EAFNOSUPPORT;
-       if (!inet_netns_ok(net, protocol))
-               goto out_rcu_unlock;
-
        sock->ops = answer->ops;
        answer_prot = answer->prot;
        answer_no_check = answer->no_check;

diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c
index f1395a6fb35fcbb2f49d3a19ce6d48dcf43e4e89..87abd3e2bd329d7ee3630cbc3ed4770d35e6370e 100644 (file)
--- a/net/ipv4/ip_input.c
+++ b/net/ipv4/ip_input.c
@@ -208,13 +208,6 @@ static int ip_local_deliver_finish(struct sk_buff *skb)
                if (ipprot != NULL) {
                        int ret;
 
-                       if (!net_eq(net, &init_net) && !ipprot->netns_ok) {
-                               net_info_ratelimited("%s: proto %d isn't netns-ready\n",
-                                                    __func__, protocol);
-                               kfree_skb(skb);
-                               goto out;
-                       }
-
                        if (!ipprot->no_policy) {
                                if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb)) {
                                        kfree_skb(skb);

diff --git a/net/ipv4/protocol.c b/net/ipv4/protocol.c
index 0f9d09f54bd9d781bb74d577185c571fe632b270..ce848461acbb07f6b758dc900225c7aff16ac690 100644 (file)
--- a/net/ipv4/protocol.c
+++ b/net/ipv4/protocol.c
@@ -37,6 +37,12 @@ const struct net_offload __rcu *inet_offloads[MAX_INET_PROTOS] __read_mostly;
 
 int inet_add_protocol(const struct net_protocol *prot, unsigned char protocol)
 {
+       if (!prot->netns_ok) {
+               pr_err("Protocol %u is not namespace aware, cannot register.\n",
+                       protocol);
+               return -EINVAL;
+       }
+
        return !cmpxchg((const struct net_protocol **)&inet_protos[protocol],
                        NULL, prot) ? 0 : -1;
 }