[NET]: Disable netfilter sockopts when not in the initial network namespace
authorEric W. Biederman <ebiederm@xmission.com>
Wed, 12 Sep 2007 11:58:02 +0000 (13:58 +0200)
committerDavid S. Miller <davem@sunset.davemloft.net>
Wed, 10 Oct 2007 23:49:13 +0000 (16:49 -0700)
Until we support multiple network namespaces with netfilter only allow
netfilter configuration in the initial network namespace.

Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/netfilter/nf_sockopt.c

index e32761ce260cbc8b30216370ddf06871da35d221..aa2831587b821d1c3afb65d59f96d0eb739a9377 100644 (file)
@@ -69,6 +69,9 @@ static int nf_sockopt(struct sock *sk, int pf, int val,
        struct nf_sockopt_ops *ops;
        int ret;
 
+       if (sk->sk_net != &init_net)
+               return -ENOPROTOOPT;
+
        if (mutex_lock_interruptible(&nf_sockopt_mutex) != 0)
                return -EINTR;
 
@@ -125,6 +128,10 @@ static int compat_nf_sockopt(struct sock *sk, int pf, int val,
        struct nf_sockopt_ops *ops;
        int ret;
 
+       if (sk->sk_net != &init_net)
+               return -ENOPROTOOPT;
+
+
        if (mutex_lock_interruptible(&nf_sockopt_mutex) != 0)
                return -EINTR;