Shmulik Ladkani <shmulik.ladk...@gmail.com> wrote:
> -static int nf_conntrack_acct_init_sysctl(struct net *net)
> -{
> - struct ctl_table *table;
> -
> - table = kmemdup(acct_sysctl_table, sizeof(acct_sysctl_table),
> - GFP_KERNEL);
> - if (!table)
> - goto out;
> -
> - table[0].data = &net->ct.sysctl_acct;
> -
>
> (where 'nf_conntrack_acct_init_sysctl()' was originally called by
> 'nf_conntrack_acct_pernet_init()').
>
> However POST d912dec12428, the per-net netfilter sysctl table simply
> inherits from global 'nf_ct_sysctl_table[]', which has
>
> + .data = &init_net.ct.sysctl_acct,
>
> effectivly making any 'net.netfilter.nf_conntrack_acct' sysctl change
> affect the 'init_net' and not relevant net namespace.
>
> Also, looks like "nf_conntrack_helper", "nf_conntrack_events",
> "nf_conntrack_timestamp" where also harmed in a similar way, see:
>
> d912dec12428 ("netfilter: conntrack: merge acct and helper sysctl table
> with main one")
> cb2833ed0044 ("netfilter: conntrack: merge ecache and timestamp sysctl
> tables with main one")
Thanks for reporting this bug, I will submit a patch soon.
