netfilter: conntrack: check netns when comparing conntrack objects Once we place all conntracks in the same hash table we must also compare the netns pointer to skip conntracks that belong to a different namespace. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

commit: e0c7d47221883966d930fa7335b3ca295bc316b2 [log] [tgz]
author: Florian Westphal <fw@strlen.de> Thu Apr 28 19:13:45 2016 +0200
committer: Pablo Neira Ayuso <pablo@netfilter.org> Thu May 05 16:39:46 2016 +0200
tree: a656f04d8c15ca2efeb88b94742bfb329112a595
parent: 245cfdcaba2e7e4ee16b12af547ead37f9c501cd [diff] [blame]
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 294a8e2..f6bbcb2 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c

@@ -837,6 +837,9 @@
 			if (NF_CT_DIRECTION(h) != IP_CT_DIR_ORIGINAL)
 				continue;
 			ct = nf_ct_tuplehash_to_ctrack(h);
+			if (!net_eq(net, nf_ct_net(ct)))
+				continue;
+
 			/* Dump entries of a given L3 protocol number.
 			 * If it is not specified, ie. l3proto == 0,
 			 * then dump everything. */
commit	e0c7d47221883966d930fa7335b3ca295bc316b2	[log] [tgz]
author	Florian Westphal <fw@strlen.de>	Thu Apr 28 19:13:45 2016 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	Thu May 05 16:39:46 2016 +0200
tree	a656f04d8c15ca2efeb88b94742bfb329112a595
parent	245cfdcaba2e7e4ee16b12af547ead37f9c501cd [diff] [blame]