Techwizz/kernel-fxtec-pro1x
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

netfilter: allow hooks to pass error code back up the stack

Browse source 
SELinux would like to pass certain fatal errors back up the stack.  This patch
implements the generic netfilter support for this functionality.

Based-on-patch-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Eric Paris 2010-11-16 11:52:38 +00:00 committed by David S. Miller
parent 37d6680042
commit da68365004
2 changed files with 6 additions and 2 deletions
include/linux
netfilter.h
net/netfilter
core.c

2
include/linux/netfilter.h
View file

@ -33,6 +33,8 @@
#define NF_QUEUE_NR(x) ((((x) << NF_VERDICT_BITS) & NF_VERDICT_QMASK) | NF_QUEUE)
#define NF_DROP_ERR(x) (((-x) << NF_VERDICT_BITS) | NF_DROP)
/* only for userspace compatibility */
#ifndef __KERNEL__
/* Generic cache responses from hook functions.

6
net/netfilter/core.c
View file

@ -173,9 +173,11 @@ int nf_hook_slow(u_int8_t pf, unsigned int hook, struct sk_buff *skb,
outdev, &elem, okfn, hook_thresh);
if (verdict == NF_ACCEPT || verdict == NF_STOP) {
ret = 1;
} else if (verdict == NF_DROP) {
} else if ((verdict & NF_VERDICT_MASK) == NF_DROP) {
kfree_skb(skb);
ret = -EPERM;
ret = -(verdict >> NF_VERDICT_BITS);
if (ret == 0)
ret = -EPERM;
} else if ((verdict & NF_VERDICT_MASK) == NF_QUEUE) {
if (!nf_queue(skb, elem, pf, hook, indev, outdev, okfn,
verdict >> NF_VERDICT_BITS))