From cb111466cbfd4d2c90dc7e5159664a911f00ea4d Mon Sep 17 00:00:00 2001
From: Harald Welte <laforge@netfilter.org>
Date: Wed, 9 Nov 2005 13:02:16 -0800
Subject: [PATCH] --- yaml --- r: 13646 b: refs/heads/master c:
 ed77de9fc69076e6e7c85edf7c1b70650f53121a h: refs/heads/master v: v3

---
 [refs]                          |  2 +-
 trunk/net/netfilter/nfnetlink.c | 17 ++++++++++-------
 2 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/[refs] b/[refs]
index e23a1d6eeea5..321951fa090e 100644
--- a/[refs]
+++ b/[refs]
@@ -1,2 +1,2 @@
 ---
-refs/heads/master: 5978a9b82c55b82a1087bd86e0ae8b00f94d0d0b
+refs/heads/master: ed77de9fc69076e6e7c85edf7c1b70650f53121a
diff --git a/trunk/net/netfilter/nfnetlink.c b/trunk/net/netfilter/nfnetlink.c
index f8bd7c7e7921..83f4c53030fc 100644
--- a/trunk/net/netfilter/nfnetlink.c
+++ b/trunk/net/netfilter/nfnetlink.c
@@ -240,15 +240,18 @@ static inline int nfnetlink_rcv_msg(struct sk_buff *skb,
 	ss = nfnetlink_get_subsys(type);
 	if (!ss) {
 #ifdef CONFIG_KMOD
-		/* don't call nfnl_shunlock, since it would reenter
-		 * with further packet processing */
-		up(&nfnl_sem);
-		request_module("nfnetlink-subsys-%d", NFNL_SUBSYS_ID(type));
-		nfnl_shlock();
-		ss = nfnetlink_get_subsys(type);
+		if (cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN)) {
+			/* don't call nfnl_shunlock, since it would reenter
+			 * with further packet processing */
+			up(&nfnl_sem);
+			request_module("nfnetlink-subsys-%d",
+					NFNL_SUBSYS_ID(type));
+			nfnl_shlock();
+			ss = nfnetlink_get_subsys(type);
+		}
 		if (!ss)
 #endif
-		goto err_inval;
+			goto err_inval;
 	}
 
 	nc = nfnetlink_find_client(type, ss);