Merge tag 'backlight-for-linus-4.2' of git://git.kernel.org/pub/scm/linux/kernel...

[deliverable/linux.git] / net / netfilter / nf_tables_core.c

diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c
index f153b07073afba0f544889eb01312a57414f74a6..f77bad46ac683bae9797846ce15f31ded95d00f1 100644 (file)
--- a/net/netfilter/nf_tables_core.c
+++ b/net/netfilter/nf_tables_core.c
@@ -114,7 +114,8 @@ unsigned int
 nft_do_chain(struct nft_pktinfo *pkt, const struct nf_hook_ops *ops)
 {
        const struct nft_chain *chain = ops->priv, *basechain = chain;
-       const struct net *net = read_pnet(&nft_base_chain(basechain)->pnet);
+       const struct net *chain_net = read_pnet(&nft_base_chain(basechain)->pnet);
+       const struct net *net = dev_net(pkt->in ? pkt->in : pkt->out);
        const struct nft_rule *rule;
        const struct nft_expr *expr, *last;
        struct nft_regs regs;
@@ -124,6 +125,10 @@ nft_do_chain(struct nft_pktinfo *pkt, const struct nf_hook_ops *ops)
        int rulenum;
        unsigned int gencursor = nft_genmask_cur(net);
 
+       /* Ignore chains that are not for the current network namespace */
+       if (!net_eq(net, chain_net))
+               return NF_ACCEPT;
+
 do_chain:
        rulenum = 0;
        rule = list_entry(&chain->rules, struct nft_rule, list);