On Fri, Jun 19, 2015 at 10:41:21AM -0500, Eric W. Biederman wrote: > > Currenlty nf_tables chains added in one network namespace are being > run in all network namespace. The issues are myriad with the simplest > being an unprivileged user can cause any network packets to be dropped. > > Address this by simply not running nf_tables chains in the wrong > network namespace. > > Cc: stable@xxxxxxxxxxxxxxx > Signed-off-by: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx> Acked-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> @David: Patrick sent a similar patch to address this, if you can get this into the net tree, I'll make sure this propagates to -stable. Thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
