Linux-libre 4.2-gnu

author: André Fabian Silva Delgado <emulatorman@parabola.nu> 2015-09-08 01:01:14 -0300
committer: André Fabian Silva Delgado <emulatorman@parabola.nu> 2015-09-08 01:01:14 -0300
commit: e5fd91f1ef340da553f7a79da9540c3db711c937 (patch)
tree: b11842027dc6641da63f4bcc524f8678263304a3 /net/netfilter/nf_tables_core.c
parent: 2a9b0348e685a63d97486f6749622b61e9e3292f (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c
index f153b0707..f77bad46a 100644
--- a/net/netfilter/nf_tables_core.c
+++ b/net/netfilter/nf_tables_core.c
@@ -114,7 +114,8 @@ unsigned int
 nft_do_chain(struct nft_pktinfo *pkt, const struct nf_hook_ops *ops)
 {
 	const struct nft_chain *chain = ops->priv, *basechain = chain;
-	const struct net *net = read_pnet(&nft_base_chain(basechain)->pnet);
+	const struct net *chain_net = read_pnet(&nft_base_chain(basechain)->pnet);
+	const struct net *net = dev_net(pkt->in ? pkt->in : pkt->out);
 	const struct nft_rule *rule;
 	const struct nft_expr *expr, *last;
 	struct nft_regs regs;
@@ -124,6 +125,10 @@ nft_do_chain(struct nft_pktinfo *pkt, const struct nf_hook_ops *ops)
 	int rulenum;
 	unsigned int gencursor = nft_genmask_cur(net);
 
+	/* Ignore chains that are not for the current network namespace */
+	if (!net_eq(net, chain_net))
+		return NF_ACCEPT;
+
 do_chain:
 	rulenum = 0;
 	rule = list_entry(&chain->rules, struct nft_rule, list);
author	André Fabian Silva Delgado <emulatorman@parabola.nu>	2015-09-08 01:01:14 -0300
committer	André Fabian Silva Delgado <emulatorman@parabola.nu>	2015-09-08 01:01:14 -0300
commit	e5fd91f1ef340da553f7a79da9540c3db711c937 (patch)
tree	b11842027dc6641da63f4bcc524f8678263304a3 /net/netfilter/nf_tables_core.c
parent	2a9b0348e685a63d97486f6749622b61e9e3292f (diff)