| Main Archive Page > Month Archives > netfilter-devel archives |
Re: [PATCH] netfilter: xtables: inclusion of xt_condition
From: Patrick McHardy <kaber_at_nospam>Date: Thu Apr 22 2010 - 11:24:50 GMT
To: Jan Engelhardt <jengelh@medozas.de>
Patrick McHardy wrote:
> This looks better, thanks. A few remaining questions about things
> I missed previously:
>
> Jan Engelhardt wrote:
>> +static int condition_mt_check(const struct xt_mtchk_param *par)
>> +{
>> + ...
>> + /* Create the condition variable's proc file entry. */
>> + var->status_proc = create_proc_entry(info->name, condition_list_perms,
>> + proc_net_condition);
>
> proc_net_condition is a global variable, so this won't work for
> namespaces. What the code does is reinitialize it when instantiating
> a new namespace, so it will always point to the last instantiated
> namespace.
>
> The same problem exists for the condition_list, each namespace
> should only be able to access its own conditions.
This also applies to the permission variables. Basically, we shouldn't
be having any globals except perhaps the mutex. You probably need a
module_param_call function to set them for the correct namespace (you
can access that through current->nsproxy->net_ns).
>> +static struct xt_match condition_mt_reg __read_mostly = {
>> + .name = "condition",
>> + .revision = 1,
>
> Why are we starting with revision 1?
>
>> + .family = NFPROTO_UNSPEC,
>> + .matchsize = sizeof(struct xt_condition_mtinfo),
>> + .match = condition_mt,
>> + .checkentry = condition_mt_check,
>> + .destroy = condition_mt_destroy,
>> + .me = THIS_MODULE,
>> +};
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
-- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html