netfilter: conntrack: check netns when comparing conntrack objects

Once we place all conntracks in the same hash table we must also compare the netns pointer to skip conntracks that belong to a different namespace. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Florian Westphal <fw@strlen.de> 2016-04-28 19:13:45 +0200
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2016-05-05 16:39:46 +0200
commit: e0c7d47221883966d930fa7335b3ca295bc316b2 (patch)
tree: a656f04d8c15ca2efeb88b94742bfb329112a595 /net/netfilter/nf_conntrack_netlink.c
parent: netfilter: conntrack: small refactoring of conntrack seq_printf (diff)
download: wireguard-linux-e0c7d47221883966d930fa7335b3ca295bc316b2.tar.xz
wireguard-linux-e0c7d47221883966d930fa7335b3ca295bc316b2.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 294a8e28cec4..f6bbcb23749e 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -837,6 +837,9 @@ restart:
 			if (NF_CT_DIRECTION(h) != IP_CT_DIR_ORIGINAL)
 				continue;
 			ct = nf_ct_tuplehash_to_ctrack(h);
+			if (!net_eq(net, nf_ct_net(ct)))
+				continue;
+
 			/* Dump entries of a given L3 protocol number.
 			 * If it is not specified, ie. l3proto == 0,
 			 * then dump everything. */
author	Florian Westphal <fw@strlen.de>	2016-04-28 19:13:45 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2016-05-05 16:39:46 +0200
commit	e0c7d47221883966d930fa7335b3ca295bc316b2 (patch)
tree	a656f04d8c15ca2efeb88b94742bfb329112a595 /net/netfilter/nf_conntrack_netlink.c
parent	netfilter: conntrack: small refactoring of conntrack seq_printf (diff)
download	wireguard-linux-e0c7d47221883966d930fa7335b3ca295bc316b2.tar.xz wireguard-linux-e0c7d47221883966d930fa7335b3ca295bc316b2.zip