Skip to content
  • Eric W. Biederman's avatar
    netfilter: Pass struct net into the netfilter hooks · 29a26a56
    Eric W. Biederman authored
    Pass a network namespace parameter into the netfilter hooks.  At the
    call site of the netfilter hooks the path a packet is taking through
    the network stack is well known which allows the network namespace to
    be easily and reliabily.
    This allows the replacement of magic code like
    "dev_net(state->in?:state->out)" that appears at the start of most
    netfilter hooks with "state->net".
    In almost all cases the network namespace passed in is derived
    from the first network device passed in, guaranteeing those
    paths will not see any changes in practice.
    The exceptions are:
    xfrm/xfrm_output.c:xfrm_output_resume()         xs_net(skb_dst(skb)->xfrm)
    ipvs/ip_vs_xmit.c:ip_vs_nat_send_or_cont()      ip_vs_conn_net(cp)
    ipvs/ip_vs_xmit.c:ip_vs_send_or_cont()          ip_vs_conn_net(cp)
    ipv4/raw.c:raw_send_hdrinc()                    sock_net(sk)
    ipv6/ip6_output.c:ip6_xmit()			sock_net(sk)
    ipv6/ndisc.c:ndisc_send_skb()                   dev_net(skb->dev) not dev_net(dst->dev)
    ipv6/raw.c:raw6_send_hdrinc()                   sock_net(sk)
    br_netfilter_hooks.c:br_nf_pre_routing_finish() dev_net(skb->dev) before skb->dev is set to nf_bridge->physindev
    In all cases these exceptions seem to be a better expression for the
    network namespace the packet is being processed in then the historic
    "dev_net(in?in:out)".  I am documenting them in case something odd
    pops up and someone starts trying to track down what happened.
    Signed-off-by: default avatar"Eric W. Biederman" <>
    Signed-off-by: default avatarDavid S. Miller <>