Skip to content

Commit

Permalink
[NET]: Disable netfilter sockopts when not in the initial network nam…
Browse files Browse the repository at this point in the history 
…espace

Until we support multiple network namespaces with netfilter only allow
netfilter configuration in the initial network namespace.

Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
  • Loading branch information
Eric W. Biederman authored and David S. Miller committed Oct 10, 2007
1 parent d8a5ec6 commit c48dad7
Showing 1 changed file with 7 additions and 0 deletions.
7 changes: 7 additions & 0 deletions net/netfilter/nf_sockopt.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,9 @@ static int nf_sockopt(struct sock *sk, int pf, int val,
struct nf_sockopt_ops *ops;
int ret;

if (sk->sk_net != &init_net)
return -ENOPROTOOPT;

if (mutex_lock_interruptible(&nf_sockopt_mutex) != 0)
return -EINTR;

Expand Down Expand Up @@ -125,6 +128,10 @@ static int compat_nf_sockopt(struct sock *sk, int pf, int val,
struct nf_sockopt_ops *ops;
int ret;

if (sk->sk_net != &init_net)
return -ENOPROTOOPT;


if (mutex_lock_interruptible(&nf_sockopt_mutex) != 0)
return -EINTR;

Expand Down

0 comments on commit c48dad7

Please sign in to comment.