netfilter: allow hooks to pass error code back up the stack

SELinux would like to pass certain fatal errors back up the stack. This patch implements the generic netfilter support for this functionality. Based-on-patch-by: N Patrick McHardy <kaber@trash.net> Signed-off-by: N Eric Paris <eparis@redhat.com> Signed-off-by: N David S. Miller <davem@davemloft.net>

netfilter: allow hooks to pass error code back up the stack
SELinux would like to pass certain fatal errors back up the stack. This patch implements the generic netfilter support for this functionality. Based-on-patch-by: N Patrick McHardy <kaber@trash.net> Signed-off-by: N Eric Paris <eparis@redhat.com> Signed-off-by: N David S. Miller <davem@davemloft.net>
da683650 · Eric Paris · David S. Miller · 37d66800 · da683650 · da683650
隐藏空白更改
内联并排

Showing with 6 addition and 2 deletion

include/linux/netfilter.h include/linux/netfilter.h +2 -0

net/netfilter/core.c net/netfilter/core.c +4 -2

未找到文件。
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -33,6 +33,8 @@

 #define NF_QUEUE_NR(x) ((((x) << NF_VERDICT_BITS) & NF_VERDICT_QMASK) | NF_QUEUE)

+#define NF_DROP_ERR(x) (((-x) << NF_VERDICT_BITS) | NF_DROP)
+
 /* only for userspace compatibility */
 #ifndef __KERNEL__
 /* Generic cache responses from hook functions.

--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -173,9 +173,11 @@ int nf_hook_slow(u_int8_t pf, unsigned int hook, struct sk_buff *skb,
 			     outdev, &elem, okfn, hook_thresh);
 	if (verdict == NF_ACCEPT || verdict == NF_STOP) {
 		ret = 1;
-	} else if (verdict == NF_DROP) {
+	} else if ((verdict & NF_VERDICT_MASK) == NF_DROP) {
 		kfree_skb(skb);
-		ret = -EPERM;
+		ret = -(verdict >> NF_VERDICT_BITS);
+		if (ret == 0)
+			ret = -EPERM;
 	} else if ((verdict & NF_VERDICT_MASK) == NF_QUEUE) {
 		if (!nf_queue(skb, elem, pf, hook, indev, outdev, okfn,
 			      verdict >> NF_VERDICT_BITS))