[Devel] [PATCH rh7] net: Add ipt_mask checks into ip6table_nat
Kirill Tkhai
ktkhai at odin.com
Mon Jul 13 05:08:48 PDT 2015
Register pernet table only if it's allowed.
https://jira.sw.ru/browse/PSBM-34748
Signed-off-by: Kirill Tkhai <ktkhai at odin.com>
---
net/ipv6/netfilter/ip6table_nat.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/net/ipv6/netfilter/ip6table_nat.c b/net/ipv6/netfilter/ip6table_nat.c
index 1be22b9..e50a640 100644
--- a/net/ipv6/netfilter/ip6table_nat.c
+++ b/net/ipv6/netfilter/ip6table_nat.c
@@ -289,6 +289,10 @@ static int __net_init ip6table_nat_net_init(struct net *net)
{
struct ip6t_replace *repl;
+ if (!net_ipt_permitted(net, VE_IP_IPTABLE_NAT) ||
+ !net_ipt_permitted(net, VE_IP_IPTABLES6))
+ return 0;
+
repl = ip6t_alloc_initial_table(&nf_nat_ipv6_table);
if (repl == NULL)
return -ENOMEM;
@@ -299,7 +303,11 @@ static int __net_init ip6table_nat_net_init(struct net *net)
static void __net_exit ip6table_nat_net_exit(struct net *net)
{
+ if (!net->ipv6.ip6table_nat)
+ return;
+
ip6t_unregister_table(net, net->ipv6.ip6table_nat);
+ net->ipv6.ip6table_nat = NULL;
}
static struct pernet_operations ip6table_nat_net_ops = {
More information about the Devel
mailing list