netfilter: enable netfilter in netns

From kernel perspective, allow entrance in nf_hook_slow(). Stuff which uses nf_register_hook/nf_register_hooks, but otherwise not netns-ready: DECnet netfilter ipt_CLUSTERIP nf_nat_standalone.c together with XFRM (?) IPVS several individual match modules (like hashlimit) ctnetlink NOTRACK all sorts of queueing and reporting to userspace L3 and L4 protocol sysctls, bridge sysctls probably something else Anyway critical mass has been achieved, there is no reason to hide netfilter any longer. From userspace perspective, allow to manipulate all sorts of iptables/ip6tables/arptables rules. Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
mariux64 · Oct 8, 2008 · 4de6f16 · 4de6f16
1 parent cfd6e3d
commit 4de6f16
Show file tree

Hide file tree

Showing 2 changed files with 0 additions and 11 deletions.
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
@@ -165,14 +165,6 @@ int nf_hook_slow(u_int8_t pf, unsigned int hook, struct sk_buff *skb,
 	unsigned int verdict;
 	int ret = 0;
 
-#ifdef CONFIG_NET_NS
-	struct net *net;
-
-	net = indev == NULL ? dev_net(outdev) : dev_net(indev);
-	if (net != &init_net)
-		return 1;
-#endif
-
 	/* We may already have this, but read-locks nest anyway */
 	rcu_read_lock();
 

diff --git a/net/netfilter/nf_sockopt.c b/net/netfilter/nf_sockopt.c
@@ -65,9 +65,6 @@ static struct nf_sockopt_ops *nf_sockopt_find(struct sock *sk, u_int8_t pf,
 {
 	struct nf_sockopt_ops *ops;
 
-	if (!net_eq(sock_net(sk), &init_net))
-		return ERR_PTR(-ENOPROTOOPT);
-
 	if (mutex_lock_interruptible(&nf_sockopt_mutex) != 0)
 		return ERR_PTR(-EINTR);