aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
Diffstat (limited to 'net')
-rw-r--r--net/core/filter.c35
1 files changed, 35 insertions, 0 deletions
diff --git a/net/core/filter.c b/net/core/filter.c
index 85a5febab567..bbb53c69857c 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -64,6 +64,41 @@ static inline void *load_pointer(struct sk_buff *skb, int k,
64} 64}
65 65
66/** 66/**
67 * sk_filter - run a packet through a socket filter
68 * @sk: sock associated with &sk_buff
69 * @skb: buffer to filter
70 * @needlock: set to 1 if the sock is not locked by caller.
71 *
72 * Run the filter code and then cut skb->data to correct size returned by
73 * sk_run_filter. If pkt_len is 0 we toss packet. If skb->len is smaller
74 * than pkt_len we keep whole skb->data. This is the socket level
75 * wrapper to sk_run_filter. It returns 0 if the packet should
76 * be accepted or -EPERM if the packet should be tossed.
77 *
78 */
79int sk_filter(struct sock *sk, struct sk_buff *skb)
80{
81 int err;
82 struct sk_filter *filter;
83
84 err = security_sock_rcv_skb(sk, skb);
85 if (err)
86 return err;
87
88 rcu_read_lock_bh();
89 filter = rcu_dereference(sk->sk_filter);
90 if (filter) {
91 unsigned int pkt_len = sk_run_filter(skb, filter->insns,
92 filter->len);
93 err = pkt_len ? pskb_trim(skb, pkt_len) : -EPERM;
94 }
95 rcu_read_unlock_bh();
96
97 return err;
98}
99EXPORT_SYMBOL(sk_filter);
100
101/**
67 * sk_run_filter - run a filter on a socket 102 * sk_run_filter - run a filter on a socket
68 * @skb: buffer to run the filter on 103 * @skb: buffer to run the filter on
69 * @filter: filter to apply 104 * @filter: filter to apply