Commit da6836500414ae734cd9873c2d553db594f831e9
Committed by
David S. Miller
David S. Miller
1 parent
37d6680042
Exists in
master
and in
4 other branches
netfilter: allow hooks to pass error code back up the stack
SELinux would like to pass certain fatal errors back up the stack. This patch implements the generic netfilter support for this functionality. Based-on-patch-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Showing 2 changed files with 6 additions and 2 deletions Side-by-side Diff
include/linux/netfilter.h
| ... | ... | @@ -33,6 +33,8 @@ |
| 33 | 33 | |
| 34 | 34 | #define NF_QUEUE_NR(x) ((((x) << NF_VERDICT_BITS) & NF_VERDICT_QMASK) | NF_QUEUE) |
| 35 | 35 | |
| 36 | +#define NF_DROP_ERR(x) (((-x) << NF_VERDICT_BITS) | NF_DROP) | |
| 37 | + | |
| 36 | 38 | /* only for userspace compatibility */ |
| 37 | 39 | #ifndef __KERNEL__ |
| 38 | 40 | /* Generic cache responses from hook functions. |
net/netfilter/core.c
| ... | ... | @@ -173,9 +173,11 @@ |
| 173 | 173 | outdev, &elem, okfn, hook_thresh); |
| 174 | 174 | if (verdict == NF_ACCEPT || verdict == NF_STOP) { |
| 175 | 175 | ret = 1; |
| 176 | - } else if (verdict == NF_DROP) { | |
| 176 | + } else if ((verdict & NF_VERDICT_MASK) == NF_DROP) { | |
| 177 | 177 | kfree_skb(skb); |
| 178 | - ret = -EPERM; | |
| 178 | + ret = -(verdict >> NF_VERDICT_BITS); | |
| 179 | + if (ret == 0) | |
| 180 | + ret = -EPERM; | |
| 179 | 181 | } else if ((verdict & NF_VERDICT_MASK) == NF_QUEUE) { |
| 180 | 182 | if (!nf_queue(skb, elem, pf, hook, indev, outdev, okfn, |
| 181 | 183 | verdict >> NF_VERDICT_BITS)) |