29a26a5680
Pass a network namespace parameter into the netfilter hooks. At the call site of the netfilter hooks the path a packet is taking through the network stack is well known which allows the network namespace to be easily and reliabily. This allows the replacement of magic code like "dev_net(state->in?:state->out)" that appears at the start of most netfilter hooks with "state->net". In almost all cases the network namespace passed in is derived from the first network device passed in, guaranteeing those paths will not see any changes in practice. The exceptions are: xfrm/xfrm_output.c:xfrm_output_resume() xs_net(skb_dst(skb)->xfrm) ipvs/ip_vs_xmit.c:ip_vs_nat_send_or_cont() ip_vs_conn_net(cp) ipvs/ip_vs_xmit.c:ip_vs_send_or_cont() ip_vs_conn_net(cp) ipv4/raw.c:raw_send_hdrinc() sock_net(sk) ipv6/ip6_output.c:ip6_xmit() sock_net(sk) ipv6/ndisc.c:ndisc_send_skb() dev_net(skb->dev) not dev_net(dst->dev) ipv6/raw.c:raw6_send_hdrinc() sock_net(sk) br_netfilter_hooks.c:br_nf_pre_routing_finish() dev_net(skb->dev) before skb->dev is set to nf_bridge->physindev In all cases these exceptions seem to be a better expression for the network namespace the packet is being processed in then the historic "dev_net(in?in:out)". I am documenting them in case something odd pops up and someone starts trying to track down what happened. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
|---|---|---|
| .. | ||
| netfilter | ||
| af_decnet.c | ||
| dn_dev.c | ||
| dn_fib.c | ||
| dn_neigh.c | ||
| dn_nsp_in.c | ||
| dn_nsp_out.c | ||
| dn_route.c | ||
| dn_rules.c | ||
| dn_table.c | ||
| dn_timer.c | ||
| Kconfig | ||
| Makefile | ||
| README | ||
| sysctl_net_decnet.c | ||
| TODO | ||
Linux DECnet Project
======================
The documentation for this kernel subsystem is available in the
Documentation/networking subdirectory of this distribution and also
on line at http://www.chygwyn.com/DECnet/
Steve Whitehouse <SteveW@ACM.org>