aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEric Paris <eparis@redhat.com>2010-11-16 06:52:38 -0500
committerDavid S. Miller <davem@davemloft.net>2010-11-17 13:54:34 -0500
commitda6836500414ae734cd9873c2d553db594f831e9 (patch)
tree1661f8ec37787e77e604a4f26574d48c57016ed4
parent37d668004289d202f71dc5bfdadf6c18b34577a2 (diff)
netfilter: allow hooks to pass error code back up the stack
SELinux would like to pass certain fatal errors back up the stack. This patch implements the generic netfilter support for this functionality. Based-on-patch-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat
-rw-r--r--include/linux/netfilter.h2
-rw-r--r--net/netfilter/core.c6
2 files changed, 6 insertions, 2 deletions
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index 03317c8d4077..1893837b3966 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -33,6 +33,8 @@
33 33
34#define NF_QUEUE_NR(x) ((((x) << NF_VERDICT_BITS) & NF_VERDICT_QMASK) | NF_QUEUE) 34#define NF_QUEUE_NR(x) ((((x) << NF_VERDICT_BITS) & NF_VERDICT_QMASK) | NF_QUEUE)
35 35
36#define NF_DROP_ERR(x) (((-x) << NF_VERDICT_BITS) | NF_DROP)
37
36/* only for userspace compatibility */ 38/* only for userspace compatibility */
37#ifndef __KERNEL__ 39#ifndef __KERNEL__
38/* Generic cache responses from hook functions. 40/* Generic cache responses from hook functions.
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 85dabb86be6f..32fcbe290c04 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -173,9 +173,11 @@ next_hook:
173 outdev, &elem, okfn, hook_thresh); 173 outdev, &elem, okfn, hook_thresh);
174 if (verdict == NF_ACCEPT || verdict == NF_STOP) { 174 if (verdict == NF_ACCEPT || verdict == NF_STOP) {
175 ret = 1; 175 ret = 1;
176 } else if (verdict == NF_DROP) { 176 } else if ((verdict & NF_VERDICT_MASK) == NF_DROP) {
177 kfree_skb(skb); 177 kfree_skb(skb);
178 ret = -EPERM; 178 ret = -(verdict >> NF_VERDICT_BITS);
179 if (ret == 0)
180 ret = -EPERM;
179 } else if ((verdict & NF_VERDICT_MASK) == NF_QUEUE) { 181 } else if ((verdict & NF_VERDICT_MASK) == NF_QUEUE) {
180 if (!nf_queue(skb, elem, pf, hook, indev, outdev, okfn, 182 if (!nf_queue(skb, elem, pf, hook, indev, outdev, okfn,
181 verdict >> NF_VERDICT_BITS)) 183 verdict >> NF_VERDICT_BITS))
generated by cgit v1.2.2 (git 2.25.0) at 2025-03-29 00:31:48 -0400