diff options
| author | Patrick McHardy <kaber@trash.net> | 2013-04-05 02:41:12 -0400 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-04-08 06:34:01 -0400 |
| commit | aaa795ad25e18488b026572c7ba2ca8f99ced0b7 (patch) | |
| tree | c3a4063079921aeca40976aa631b8dba0113507d /net/ipv6 | |
| parent | 58e35d1471287c59b9749fb82f04c628c36b9994 (diff) | |
netfilter: nat: propagate errors from xfrm_me_harder()
Propagate errors from ip_xfrm_me_harder() instead of returning EPERM in
all cases.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/ipv6')
| -rw-r--r-- | net/ipv6/netfilter/ip6table_nat.c | 17 |
1 files changed, 11 insertions, 6 deletions
diff --git a/net/ipv6/netfilter/ip6table_nat.c b/net/ipv6/netfilter/ip6table_nat.c index 97e2edd8c209..6383f90efda8 100644 --- a/net/ipv6/netfilter/ip6table_nat.c +++ b/net/ipv6/netfilter/ip6table_nat.c | |||
| @@ -179,6 +179,7 @@ nf_nat_ipv6_out(unsigned int hooknum, | |||
| 179 | #ifdef CONFIG_XFRM | 179 | #ifdef CONFIG_XFRM |
| 180 | const struct nf_conn *ct; | 180 | const struct nf_conn *ct; |
| 181 | enum ip_conntrack_info ctinfo; | 181 | enum ip_conntrack_info ctinfo; |
| 182 | int err; | ||
| 182 | #endif | 183 | #endif |
| 183 | unsigned int ret; | 184 | unsigned int ret; |
| 184 | 185 | ||
| @@ -197,9 +198,11 @@ nf_nat_ipv6_out(unsigned int hooknum, | |||
| 197 | &ct->tuplehash[!dir].tuple.dst.u3) || | 198 | &ct->tuplehash[!dir].tuple.dst.u3) || |
| 198 | (ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMPV6 && | 199 | (ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMPV6 && |
| 199 | ct->tuplehash[dir].tuple.src.u.all != | 200 | ct->tuplehash[dir].tuple.src.u.all != |
| 200 | ct->tuplehash[!dir].tuple.dst.u.all)) | 201 | ct->tuplehash[!dir].tuple.dst.u.all)) { |
| 201 | if (nf_xfrm_me_harder(skb, AF_INET6) < 0) | 202 | err = nf_xfrm_me_harder(skb, AF_INET6); |
| 202 | ret = NF_DROP; | 203 | if (err < 0) |
| 204 | ret = NF_DROP_ERR(err); | ||
| 205 | } | ||
| 203 | } | 206 | } |
| 204 | #endif | 207 | #endif |
| 205 | return ret; | 208 | return ret; |
| @@ -236,9 +239,11 @@ nf_nat_ipv6_local_fn(unsigned int hooknum, | |||
| 236 | else if (!(IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) && | 239 | else if (!(IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) && |
| 237 | ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMPV6 && | 240 | ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMPV6 && |
| 238 | ct->tuplehash[dir].tuple.dst.u.all != | 241 | ct->tuplehash[dir].tuple.dst.u.all != |
| 239 | ct->tuplehash[!dir].tuple.src.u.all) | 242 | ct->tuplehash[!dir].tuple.src.u.all) { |
| 240 | if (nf_xfrm_me_harder(skb, AF_INET6)) | 243 | err = nf_xfrm_me_harder(skb, AF_INET6); |
| 241 | ret = NF_DROP; | 244 | if (err < 0) |
| 245 | ret = NF_DROP_ERR(err); | ||
| 246 | } | ||
| 242 | #endif | 247 | #endif |
| 243 | } | 248 | } |
| 244 | return ret; | 249 | return ret; |