Patrick McHardy wrote:
> This looks better, thanks. A few remaining questions about things
> I missed previously:
>
> Jan Engelhardt wrote:
>> +static int condition_mt_check(const struct xt_mtchk_param *par)
>> +{
>> + ...
>> + /* Create the condition variable's proc file entry. */
>> + var->status_proc = create_proc_entry(info->name, condition_list_perms,
>> + proc_net_condition);
>
> proc_net_condition is a global variable, so this won't work for
> namespaces. What the code does is reinitialize it when instantiating
> a new namespace, so it will always point to the last instantiated
> namespace.
>
> The same problem exists for the condition_list, each namespace
> should only be able to access its own conditions.
This also applies to the permission variables. Basically, we shouldn't
be having any globals except perhaps the mutex. You probably need a
module_param_call function to set them for the correct namespace (you
can access that through current->nsproxy->net_ns).
>> +static struct xt_match condition_mt_reg __read_mostly = {
>> + .name = "condition",
>> + .revision = 1,
>
> Why are we starting with revision 1?
>
>> + .family = NFPROTO_UNSPEC,
>> + .matchsize = sizeof(struct xt_condition_mtinfo),
>> + .match = condition_mt,
>> + .checkentry = condition_mt_check,
>> + .destroy = condition_mt_destroy,
>> + .me = THIS_MODULE,
>> +};
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
