diff options
-rw-r--r-- | include/linux/filter.h | 1 | ||||
-rw-r--r-- | include/net/sock.h | 35 | ||||
-rw-r--r-- | net/core/filter.c | 35 |
3 files changed, 36 insertions, 35 deletions
diff --git a/include/linux/filter.h b/include/linux/filter.h index bfc5d319b946..673e5677ebcc 100644 --- a/include/linux/filter.h +++ b/include/linux/filter.h | |||
@@ -142,6 +142,7 @@ static inline unsigned int sk_filter_len(const struct sk_filter *fp) | |||
142 | struct sk_buff; | 142 | struct sk_buff; |
143 | struct sock; | 143 | struct sock; |
144 | 144 | ||
145 | extern int sk_filter(struct sock *sk, struct sk_buff *skb); | ||
145 | extern unsigned int sk_run_filter(struct sk_buff *skb, | 146 | extern unsigned int sk_run_filter(struct sk_buff *skb, |
146 | struct sock_filter *filter, int flen); | 147 | struct sock_filter *filter, int flen); |
147 | extern int sk_attach_filter(struct sock_fprog *fprog, struct sock *sk); | 148 | extern int sk_attach_filter(struct sock_fprog *fprog, struct sock *sk); |
diff --git a/include/net/sock.h b/include/net/sock.h index f4fdd101c9a2..09255eae93e9 100644 --- a/include/net/sock.h +++ b/include/net/sock.h | |||
@@ -928,41 +928,6 @@ extern void sk_common_release(struct sock *sk); | |||
928 | extern void sock_init_data(struct socket *sock, struct sock *sk); | 928 | extern void sock_init_data(struct socket *sock, struct sock *sk); |
929 | 929 | ||
930 | /** | 930 | /** |
931 | * sk_filter - run a packet through a socket filter | ||
932 | * @sk: sock associated with &sk_buff | ||
933 | * @skb: buffer to filter | ||
934 | * @needlock: set to 1 if the sock is not locked by caller. | ||
935 | * | ||
936 | * Run the filter code and then cut skb->data to correct size returned by | ||
937 | * sk_run_filter. If pkt_len is 0 we toss packet. If skb->len is smaller | ||
938 | * than pkt_len we keep whole skb->data. This is the socket level | ||
939 | * wrapper to sk_run_filter. It returns 0 if the packet should | ||
940 | * be accepted or -EPERM if the packet should be tossed. | ||
941 | * | ||
942 | */ | ||
943 | |||
944 | static inline int sk_filter(struct sock *sk, struct sk_buff *skb) | ||
945 | { | ||
946 | int err; | ||
947 | struct sk_filter *filter; | ||
948 | |||
949 | err = security_sock_rcv_skb(sk, skb); | ||
950 | if (err) | ||
951 | return err; | ||
952 | |||
953 | rcu_read_lock_bh(); | ||
954 | filter = rcu_dereference(sk->sk_filter); | ||
955 | if (filter) { | ||
956 | unsigned int pkt_len = sk_run_filter(skb, filter->insns, | ||
957 | filter->len); | ||
958 | err = pkt_len ? pskb_trim(skb, pkt_len) : -EPERM; | ||
959 | } | ||
960 | rcu_read_unlock_bh(); | ||
961 | |||
962 | return err; | ||
963 | } | ||
964 | |||
965 | /** | ||
966 | * sk_filter_release: Release a socket filter | 931 | * sk_filter_release: Release a socket filter |
967 | * @sk: socket | 932 | * @sk: socket |
968 | * @fp: filter to remove | 933 | * @fp: filter to remove |
diff --git a/net/core/filter.c b/net/core/filter.c index 85a5febab567..bbb53c69857c 100644 --- a/net/core/filter.c +++ b/net/core/filter.c | |||
@@ -64,6 +64,41 @@ static inline void *load_pointer(struct sk_buff *skb, int k, | |||
64 | } | 64 | } |
65 | 65 | ||
66 | /** | 66 | /** |
67 | * sk_filter - run a packet through a socket filter | ||
68 | * @sk: sock associated with &sk_buff | ||
69 | * @skb: buffer to filter | ||
70 | * @needlock: set to 1 if the sock is not locked by caller. | ||
71 | * | ||
72 | * Run the filter code and then cut skb->data to correct size returned by | ||
73 | * sk_run_filter. If pkt_len is 0 we toss packet. If skb->len is smaller | ||
74 | * than pkt_len we keep whole skb->data. This is the socket level | ||
75 | * wrapper to sk_run_filter. It returns 0 if the packet should | ||
76 | * be accepted or -EPERM if the packet should be tossed. | ||
77 | * | ||
78 | */ | ||
79 | int sk_filter(struct sock *sk, struct sk_buff *skb) | ||
80 | { | ||
81 | int err; | ||
82 | struct sk_filter *filter; | ||
83 | |||
84 | err = security_sock_rcv_skb(sk, skb); | ||
85 | if (err) | ||
86 | return err; | ||
87 | |||
88 | rcu_read_lock_bh(); | ||
89 | filter = rcu_dereference(sk->sk_filter); | ||
90 | if (filter) { | ||
91 | unsigned int pkt_len = sk_run_filter(skb, filter->insns, | ||
92 | filter->len); | ||
93 | err = pkt_len ? pskb_trim(skb, pkt_len) : -EPERM; | ||
94 | } | ||
95 | rcu_read_unlock_bh(); | ||
96 | |||
97 | return err; | ||
98 | } | ||
99 | EXPORT_SYMBOL(sk_filter); | ||
100 | |||
101 | /** | ||
67 | * sk_run_filter - run a filter on a socket | 102 | * sk_run_filter - run a filter on a socket |
68 | * @skb: buffer to run the filter on | 103 | * @skb: buffer to run the filter on |
69 | * @filter: filter to apply | 104 | * @filter: filter to apply |