aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--include/linux/filter.h1
-rw-r--r--include/net/sock.h35
-rw-r--r--net/core/filter.c35
3 files changed, 36 insertions, 35 deletions
diff --git a/include/linux/filter.h b/include/linux/filter.h
index bfc5d319b946..673e5677ebcc 100644
--- a/include/linux/filter.h
+++ b/include/linux/filter.h
@@ -142,6 +142,7 @@ static inline unsigned int sk_filter_len(const struct sk_filter *fp)
142struct sk_buff; 142struct sk_buff;
143struct sock; 143struct sock;
144 144
145extern int sk_filter(struct sock *sk, struct sk_buff *skb);
145extern unsigned int sk_run_filter(struct sk_buff *skb, 146extern unsigned int sk_run_filter(struct sk_buff *skb,
146 struct sock_filter *filter, int flen); 147 struct sock_filter *filter, int flen);
147extern int sk_attach_filter(struct sock_fprog *fprog, struct sock *sk); 148extern int sk_attach_filter(struct sock_fprog *fprog, struct sock *sk);
diff --git a/include/net/sock.h b/include/net/sock.h
index f4fdd101c9a2..09255eae93e9 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -928,41 +928,6 @@ extern void sk_common_release(struct sock *sk);
928extern void sock_init_data(struct socket *sock, struct sock *sk); 928extern void sock_init_data(struct socket *sock, struct sock *sk);
929 929
930/** 930/**
931 * sk_filter - run a packet through a socket filter
932 * @sk: sock associated with &sk_buff
933 * @skb: buffer to filter
934 * @needlock: set to 1 if the sock is not locked by caller.
935 *
936 * Run the filter code and then cut skb->data to correct size returned by
937 * sk_run_filter. If pkt_len is 0 we toss packet. If skb->len is smaller
938 * than pkt_len we keep whole skb->data. This is the socket level
939 * wrapper to sk_run_filter. It returns 0 if the packet should
940 * be accepted or -EPERM if the packet should be tossed.
941 *
942 */
943
944static inline int sk_filter(struct sock *sk, struct sk_buff *skb)
945{
946 int err;
947 struct sk_filter *filter;
948
949 err = security_sock_rcv_skb(sk, skb);
950 if (err)
951 return err;
952
953 rcu_read_lock_bh();
954 filter = rcu_dereference(sk->sk_filter);
955 if (filter) {
956 unsigned int pkt_len = sk_run_filter(skb, filter->insns,
957 filter->len);
958 err = pkt_len ? pskb_trim(skb, pkt_len) : -EPERM;
959 }
960 rcu_read_unlock_bh();
961
962 return err;
963}
964
965/**
966 * sk_filter_release: Release a socket filter 931 * sk_filter_release: Release a socket filter
967 * @sk: socket 932 * @sk: socket
968 * @fp: filter to remove 933 * @fp: filter to remove
diff --git a/net/core/filter.c b/net/core/filter.c
index 85a5febab567..bbb53c69857c 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -64,6 +64,41 @@ static inline void *load_pointer(struct sk_buff *skb, int k,
64} 64}
65 65
66/** 66/**
67 * sk_filter - run a packet through a socket filter
68 * @sk: sock associated with &sk_buff
69 * @skb: buffer to filter
70 * @needlock: set to 1 if the sock is not locked by caller.
71 *
72 * Run the filter code and then cut skb->data to correct size returned by
73 * sk_run_filter. If pkt_len is 0 we toss packet. If skb->len is smaller
74 * than pkt_len we keep whole skb->data. This is the socket level
75 * wrapper to sk_run_filter. It returns 0 if the packet should
76 * be accepted or -EPERM if the packet should be tossed.
77 *
78 */
79int sk_filter(struct sock *sk, struct sk_buff *skb)
80{
81 int err;
82 struct sk_filter *filter;
83
84 err = security_sock_rcv_skb(sk, skb);
85 if (err)
86 return err;
87
88 rcu_read_lock_bh();
89 filter = rcu_dereference(sk->sk_filter);
90 if (filter) {
91 unsigned int pkt_len = sk_run_filter(skb, filter->insns,
92 filter->len);
93 err = pkt_len ? pskb_trim(skb, pkt_len) : -EPERM;
94 }
95 rcu_read_unlock_bh();
96
97 return err;
98}
99EXPORT_SYMBOL(sk_filter);
100
101/**
67 * sk_run_filter - run a filter on a socket 102 * sk_run_filter - run a filter on a socket
68 * @skb: buffer to run the filter on 103 * @skb: buffer to run the filter on
69 * @filter: filter to apply 104 * @filter: filter to apply