On Wed, Jun 10, 2015 at 5:28 PM, Patrick McHardy <kaber@xxxxxxxxx> wrote: [...] > If my understanding of the problem is correct, this (totally untested) > patch should prevent the problem until we have a proper fix. Yes is does prevent the execution of the chains from the wrong netns. Some targets are still broken when used in a netns, for example queue rules instantiated in a netns will not work at all. Andreas > > diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c > index f153b07..62e371a 100644 > --- a/net/netfilter/nf_tables_core.c > +++ b/net/netfilter/nf_tables_core.c > @@ -124,6 +124,12 @@ nft_do_chain(struct nft_pktinfo *pkt, const struct nf_hook_ops *ops) > int rulenum; > unsigned int gencursor = nft_genmask_cur(net); > > + /* Workaround for processing in incorrect namespace until we have > + * per net hooks. > + */ > + if (read_pnet(&(pkt->in ? : pkt->out)->nd_net) != net) > + return NF_ACCEPT; > + > do_chain: > rulenum = 0; > rule = list_entry(&chain->rules, struct nft_rule, list); -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
