diff options
Diffstat (limited to 'net')
-rw-r--r-- | net/core/filter.c | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/net/core/filter.c b/net/core/filter.c index 85a5febab567..bbb53c69857c 100644 --- a/net/core/filter.c +++ b/net/core/filter.c | |||
@@ -64,6 +64,41 @@ static inline void *load_pointer(struct sk_buff *skb, int k, | |||
64 | } | 64 | } |
65 | 65 | ||
66 | /** | 66 | /** |
67 | * sk_filter - run a packet through a socket filter | ||
68 | * @sk: sock associated with &sk_buff | ||
69 | * @skb: buffer to filter | ||
70 | * @needlock: set to 1 if the sock is not locked by caller. | ||
71 | * | ||
72 | * Run the filter code and then cut skb->data to correct size returned by | ||
73 | * sk_run_filter. If pkt_len is 0 we toss packet. If skb->len is smaller | ||
74 | * than pkt_len we keep whole skb->data. This is the socket level | ||
75 | * wrapper to sk_run_filter. It returns 0 if the packet should | ||
76 | * be accepted or -EPERM if the packet should be tossed. | ||
77 | * | ||
78 | */ | ||
79 | int sk_filter(struct sock *sk, struct sk_buff *skb) | ||
80 | { | ||
81 | int err; | ||
82 | struct sk_filter *filter; | ||
83 | |||
84 | err = security_sock_rcv_skb(sk, skb); | ||
85 | if (err) | ||
86 | return err; | ||
87 | |||
88 | rcu_read_lock_bh(); | ||
89 | filter = rcu_dereference(sk->sk_filter); | ||
90 | if (filter) { | ||
91 | unsigned int pkt_len = sk_run_filter(skb, filter->insns, | ||
92 | filter->len); | ||
93 | err = pkt_len ? pskb_trim(skb, pkt_len) : -EPERM; | ||
94 | } | ||
95 | rcu_read_unlock_bh(); | ||
96 | |||
97 | return err; | ||
98 | } | ||
99 | EXPORT_SYMBOL(sk_filter); | ||
100 | |||
101 | /** | ||
67 | * sk_run_filter - run a filter on a socket | 102 | * sk_run_filter - run a filter on a socket |
68 | * @skb: buffer to run the filter on | 103 | * @skb: buffer to run the filter on |
69 | * @filter: filter to apply | 104 | * @filter: filter to apply |