[Devel] [PATCH 2/5] netfilter: control iptables detries visibility in CT by S_ISVTX

[Stanislav Kinsburskiy]

They won't be visible in CT, if netfilted is disabled.

Signed-off-by: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
---
 net/netfilter/x_tables.c |   10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 4a351de..c93f0aa 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -1639,6 +1639,7 @@ int xt_proto_init(struct net *net, u_int8_t af)
 #ifdef CONFIG_PROC_FS
 	char buf[XT_FUNCTION_MAXNAMELEN];
 	struct proc_dir_entry *proc;
+	int mode = 0440;
 #endif
 
 	if (af >= ARRAY_SIZE(xt_prefix))
@@ -1646,23 +1647,26 @@ int xt_proto_init(struct net *net, u_int8_t af)
 
 
 #ifdef CONFIG_PROC_FS
+	if (likely(net_ipt_permitted(net, VE_IP_IPTABLES)))
+		mode |= S_ISVTX;
+
 	strlcpy(buf, xt_prefix[af], sizeof(buf));
 	strlcat(buf, FORMAT_TABLES, sizeof(buf));
-	proc = proc_net_create_data(buf, 0440, net->proc_net, &xt_table_ops,
+	proc = proc_create_data(buf, mode, net->proc_net, &xt_table_ops,
 				(void *)(unsigned long)af);
 	if (!proc)
 		goto out;
 
 	strlcpy(buf, xt_prefix[af], sizeof(buf));
 	strlcat(buf, FORMAT_MATCHES, sizeof(buf));
-	proc = proc_net_create_data(buf, 0440, net->proc_net, &xt_match_ops,
+	proc = proc_create_data(buf, mode, net->proc_net, &xt_match_ops,
 				(void *)(unsigned long)af);
 	if (!proc)
 		goto out_remove_tables;
 
 	strlcpy(buf, xt_prefix[af], sizeof(buf));
 	strlcat(buf, FORMAT_TARGETS, sizeof(buf));
-	proc = proc_net_create_data(buf, 0440, net->proc_net, &xt_target_ops,
+	proc = proc_create_data(buf, mode, net->proc_net, &xt_target_ops,
 				(void *)(unsigned long)af);
 	if (!proc)
 		goto out_remove_matches;