aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--include/linux/netfilter.h2
-rw-r--r--net/netfilter/core.c6
2 files changed, 6 insertions, 2 deletions
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index 03317c8d4077..1893837b3966 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -33,6 +33,8 @@
33 33
34#define NF_QUEUE_NR(x) ((((x) << NF_VERDICT_BITS) & NF_VERDICT_QMASK) | NF_QUEUE) 34#define NF_QUEUE_NR(x) ((((x) << NF_VERDICT_BITS) & NF_VERDICT_QMASK) | NF_QUEUE)
35 35
36#define NF_DROP_ERR(x) (((-x) << NF_VERDICT_BITS) | NF_DROP)
37
36/* only for userspace compatibility */ 38/* only for userspace compatibility */
37#ifndef __KERNEL__ 39#ifndef __KERNEL__
38/* Generic cache responses from hook functions. 40/* Generic cache responses from hook functions.
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 85dabb86be6f..32fcbe290c04 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -173,9 +173,11 @@ next_hook:
173 outdev, &elem, okfn, hook_thresh); 173 outdev, &elem, okfn, hook_thresh);
174 if (verdict == NF_ACCEPT || verdict == NF_STOP) { 174 if (verdict == NF_ACCEPT || verdict == NF_STOP) {
175 ret = 1; 175 ret = 1;
176 } else if (verdict == NF_DROP) { 176 } else if ((verdict & NF_VERDICT_MASK) == NF_DROP) {
177 kfree_skb(skb); 177 kfree_skb(skb);
178 ret = -EPERM; 178 ret = -(verdict >> NF_VERDICT_BITS);
179 if (ret == 0)
180 ret = -EPERM;
179 } else if ((verdict & NF_VERDICT_MASK) == NF_QUEUE) { 181 } else if ((verdict & NF_VERDICT_MASK) == NF_QUEUE) {
180 if (!nf_queue(skb, elem, pf, hook, indev, outdev, okfn, 182 if (!nf_queue(skb, elem, pf, hook, indev, outdev, okfn,
181 verdict >> NF_VERDICT_BITS)) 183 verdict >> NF_VERDICT_BITS))
generated by cgit v1.2.2 (git 2.25.0) at 2025-03-03 01:27:26 -0500