netfilter: conntrack: consider ct netns in early_drop logic
authorFlorian Westphal <fw@strlen.de>
Mon, 2 May 2016 16:40:14 +0000 (18:40 +0200)
committerPablo Neira Ayuso <pablo@netfilter.org>
Thu, 5 May 2016 14:39:48 +0000 (16:39 +0200)
commit3e86638e9a0be8bcf7db007909d8307b8b9f8e3b
tree75d479d79da94ed566823e26e0731494e15de259
parent56d52d4892d0e478a005b99ed10d0a7f488ea8c1
netfilter: conntrack: consider ct netns in early_drop logic

When iterating, skip conntrack entries living in a different netns.

We could ignore netns and kill some other non-assured one, but it
has two problems:

- a netns can kill non-assured conntracks in other namespace
- we would start to 'over-subscribe' the affected/overlimit netns.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
net/netfilter/nf_conntrack_core.c