netfilter: conntrack: do not dump other netns's conntrack entries via proc

We should skip the conntracks that belong to a different namespace, otherwise other unrelated netns's conntrack entries will be dumped via /proc/net/nf_conntrack. Fixes: 56d52d4892d0 ("netfilter: conntrack: use a single hashtable for all namespaces") Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Reviewed-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Liping Zhang 2016-08-15 21:50:35 +0800
committer: Pablo Neira Ayuso 2016-08-17 17:41:58 +0200
commit: e77e6ff502ea3d193872b5b9033bfd9717b36447 (patch)
tree: de6d9d933936650e25f957ba5084a582fd709c05
parent: a1560dd7a47f983419760aa7f6a481e3b910b54b (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index 958a1455ca7f..9f267c3ffb39 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -205,6 +205,7 @@ static int ct_seq_show(struct seq_file *s, void *v)
 	struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(hash);
 	const struct nf_conntrack_l3proto *l3proto;
 	const struct nf_conntrack_l4proto *l4proto;
+	struct net *net = seq_file_net(s);
 	int ret = 0;
 
 	NF_CT_ASSERT(ct);
@@ -215,6 +216,9 @@ static int ct_seq_show(struct seq_file *s, void *v)
 	if (NF_CT_DIRECTION(hash))
 		goto release;
 
+	if (!net_eq(nf_ct_net(ct), net))
+		goto release;
+
 	l3proto = __nf_ct_l3proto_find(nf_ct_l3num(ct));
 	NF_CT_ASSERT(l3proto);
 	l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct));
author	Liping Zhang	2016-08-15 21:50:35 +0800
committer	Pablo Neira Ayuso	2016-08-17 17:41:58 +0200
commit	e77e6ff502ea3d193872b5b9033bfd9717b36447 (patch)
tree	de6d9d933936650e25f957ba5084a582fd709c05
parent	a1560dd7a47f983419760aa7f6a481e3b910b54b (diff)