On 4/27/20 5:57 PM, Konstantin Khorenko wrote: > --- a/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c > +++ b/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c > @@ -251,6 +252,11 @@ nf_nat_ipv4_fn(const struct nf_hook_ops *ops, struct > sk_buff *skb, > /* maniptype == SRC for postrouting. */ > enum nf_nat_manip_type maniptype = HOOK2MANIP(ops->hooknum); > > + const struct nft_chain *chain = ops->priv, *basechain = chain;
why you need to define "basechain" here? can you just use chain instead? > + const struct net *chain_net = > + read_pnet(&nft_base_chain(basechain)->pnet); > + const struct net *net; > + > /* We never see fragments: conntrack defrags on pre-routing > * and local-out, and nf_nat_out protects post-routing. > */ > @@ -265,6 +271,11 @@ nf_nat_ipv4_fn(const struct nf_hook_ops *ops, struct > sk_buff *skb, > if (!ct) > return NF_ACCEPT; > > + /* Ignore chains that are not for the current network namespace */ > + net = nf_ct_net(ct); > + if (!net_eq(net, chain_net)) > + return NF_ACCEPT; > + > /* Don't try to NAT if this packet is not conntracked */ > if (nf_ct_is_untracked(ct)) > return NF_ACCEPT; > diff --git a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c > b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c > index 540dc0fdaf102..545ba56fbd3c3 100644 > --- a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c > +++ b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c > @@ -24,6 +24,7 @@ > #include <net/netfilter/nf_nat_core.h> > #include <net/netfilter/nf_nat_l3proto.h> > #include <net/netfilter/nf_nat_l4proto.h> > +#include <net/netfilter/nf_tables.h> > > static const struct nf_nat_l3proto nf_nat_l3proto_ipv6; > > @@ -264,6 +265,11 @@ nf_nat_ipv6_fn(const struct nf_hook_ops *ops, struct > sk_buff *skb, > int hdrlen; > u8 nexthdr; > > + const struct nft_chain *chain = ops->priv, *basechain = chain; and here too: it seems you can use chain instead of basechain, it isn't? > + const struct net *chain_net = > + read_pnet(&nft_base_chain(basechain)->pnet); > + const struct net *net; > + > ct = nf_ct_get(skb, &ctinfo); > /* Can't track? It's not due to stress, or conntrack would > * have dropped it. Hence it's the user's responsibilty to > @@ -273,6 +279,11 @@ nf_nat_ipv6_fn(const struct nf_hook_ops *ops, struct > sk_buff *skb, > if (!ct) > return NF_ACCEPT; > > + /* Ignore chains that are not for the current network namespace */ > + net = nf_ct_net(ct); > + if (!net_eq(net, chain_net)) > + return NF_ACCEPT; > + > /* Don't try to NAT if this packet is not conntracked */ > if (nf_ct_is_untracked(ct)) > return NF_ACCEPT; > _______________________________________________ Devel mailing list [email protected] https://lists.openvz.org/mailman/listinfo/devel
