diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-10-10 23:28:33 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-10-14 18:00:59 +0200 |
| commit | 99633ab29b2131b68089a6c7f60458390860e044 (patch) | |
| tree | eb7e2ecd9ed875ed4d3a050b95ed3d77bbde762b /include | |
| parent | eb31628e37a0a4e01fffd79dcc7f815d2357f53a (diff) | |
netfilter: nf_tables: complete net namespace support
Register family per netnamespace to ensure that sets are
only visible in its approapriate namespace.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include')
| -rw-r--r-- | include/net/net_namespace.h | 4 | ||||
| -rw-r--r-- | include/net/netfilter/nf_tables.h | 4 | ||||
| -rw-r--r-- | include/net/netns/nftables.h | 15 |
3 files changed, 22 insertions, 1 deletions
diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h index bcc4a8ed4450..da68c9a90ac5 100644 --- a/include/net/net_namespace.h +++ b/include/net/net_namespace.h @@ -22,6 +22,7 @@ #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE) #include <net/netns/conntrack.h> #endif +#include <net/netns/nftables.h> #include <net/netns/xfrm.h> struct user_namespace; @@ -101,6 +102,9 @@ struct net { #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE) struct netns_ct ct; #endif +#if defined(CONFIG_NF_TABLES) || defined(CONFIG_NF_TABLES_MODULE) + struct netns_nftables nft; +#endif #if IS_ENABLED(CONFIG_NF_DEFRAG_IPV6) struct netns_nf_frag nf_frag; #endif diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h index a68f45f0fe2e..d3272e943aac 100644 --- a/include/net/netfilter/nf_tables.h +++ b/include/net/netfilter/nf_tables.h @@ -68,6 +68,7 @@ static inline void nft_data_debug(const struct nft_data *data) /** * struct nft_ctx - nf_tables rule/set context * + * @net: net namespace * @skb: netlink skb * @nlh: netlink message header * @afi: address family info @@ -76,6 +77,7 @@ static inline void nft_data_debug(const struct nft_data *data) * @nla: netlink attributes */ struct nft_ctx { + struct net *net; const struct sk_buff *skb; const struct nlmsghdr *nlh; const struct nft_af_info *afi; @@ -462,7 +464,7 @@ struct nft_af_info { nf_hookfn *hooks[NF_MAX_HOOKS]; }; -extern int nft_register_afinfo(struct nft_af_info *); +extern int nft_register_afinfo(struct net *, struct nft_af_info *); extern void nft_unregister_afinfo(struct nft_af_info *); struct nf_chain_type { diff --git a/include/net/netns/nftables.h b/include/net/netns/nftables.h new file mode 100644 index 000000000000..a98b1c5d9913 --- /dev/null +++ b/include/net/netns/nftables.h @@ -0,0 +1,15 @@ +#ifndef _NETNS_NFTABLES_H_ +#define _NETNS_NFTABLES_H_ + +#include <linux/list.h> + +struct nft_af_info; + +struct netns_nftables { + struct list_head af_info; + struct nft_af_info *ipv4; + struct nft_af_info *ipv6; + struct nft_af_info *bridge; +}; + +#endif |