This looks better, thanks. A few remaining questions about things
I missed previously:
Jan Engelhardt wrote:
> +static int condition_mt_check(const struct xt_mtchk_param *par)
> +{
> + ...
> + /* Create the condition variable's proc file entry. */
> + var->status_proc = create_proc_entry(info->name, condition_list_perms,
> + proc_net_condition);
proc_net_condition is a global variable, so this won't work for
namespaces. What the code does is reinitialize it when instantiating
a new namespace, so it will always point to the last instantiated
namespace.
The same problem exists for the condition_list, each namespace
should only be able to access its own conditions.
> +static struct xt_match condition_mt_reg __read_mostly = {
> + .name = "condition",
> + .revision = 1,
Why are we starting with revision 1?
> + .family = NFPROTO_UNSPEC,
> + .matchsize = sizeof(struct xt_condition_mtinfo),
> + .match = condition_mt,
> + .checkentry = condition_mt_check,
> + .destroy = condition_mt_destroy,
> + .me = THIS_MODULE,
> +};
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
