[Devel] [PATCH rh7] net: Add ipt_mask checks into ip6table_nat

Andrew Vagin avagin at odin.com
Tue Jul 14 01:03:28 PDT 2015


On Mon, Jul 13, 2015 at 03:08:48PM +0300, Kirill Tkhai wrote:
> Register pernet table only if it's allowed.
> 
> https://jira.sw.ru/browse/PSBM-34748
>
Acked-by: Andrew Vagin <avagin at odin.com> 
> Signed-off-by: Kirill Tkhai <ktkhai at odin.com>
> ---
>  net/ipv6/netfilter/ip6table_nat.c |    8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> diff --git a/net/ipv6/netfilter/ip6table_nat.c b/net/ipv6/netfilter/ip6table_nat.c
> index 1be22b9..e50a640 100644
> --- a/net/ipv6/netfilter/ip6table_nat.c
> +++ b/net/ipv6/netfilter/ip6table_nat.c
> @@ -289,6 +289,10 @@ static int __net_init ip6table_nat_net_init(struct net *net)
>  {
>  	struct ip6t_replace *repl;
>  
> +	if (!net_ipt_permitted(net, VE_IP_IPTABLE_NAT) ||
> +	    !net_ipt_permitted(net, VE_IP_IPTABLES6))
> +		return 0;
> +
>  	repl = ip6t_alloc_initial_table(&nf_nat_ipv6_table);
>  	if (repl == NULL)
>  		return -ENOMEM;
> @@ -299,7 +303,11 @@ static int __net_init ip6table_nat_net_init(struct net *net)
>  
>  static void __net_exit ip6table_nat_net_exit(struct net *net)
>  {
> +	if (!net->ipv6.ip6table_nat)
> +		return;
> +
>  	ip6t_unregister_table(net, net->ipv6.ip6table_nat);
> +	net->ipv6.ip6table_nat = NULL;
>  }
>  
>  static struct pernet_operations ip6table_nat_net_ops = {
> 
> _______________________________________________
> Devel mailing list
> Devel at openvz.org
> https://lists.openvz.org/mailman/listinfo/devel



More information about the Devel mailing list