Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit da683650 authored Nov 16, 2010 by Eric Paris Committed by David S. Miller Nov 17, 2010

netfilter: allow hooks to pass error code back up the stack



SELinux would like to pass certain fatal errors back up the stack.  This patch
implements the generic netfilter support for this functionality.

Based-on-patch-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent 37d66800

include/linux/netfilter.h

+2 −0

Original line number	Original line	Diff line number	Diff line
	@@ -33,6 +33,8 @@

	#define NF_QUEUE_NR(x) ((((x) << NF_VERDICT_BITS) & NF_VERDICT_QMASK) \| NF_QUEUE)		#define NF_QUEUE_NR(x) ((((x) << NF_VERDICT_BITS) & NF_VERDICT_QMASK) \| NF_QUEUE)

			#define NF_DROP_ERR(x) (((-x) << NF_VERDICT_BITS) \| NF_DROP)

	/* only for userspace compatibility */		/* only for userspace compatibility */
	#ifndef __KERNEL__		#ifndef __KERNEL__
	/* Generic cache responses from hook functions.		/* Generic cache responses from hook functions.

net/netfilter/core.c

+4 −2

Original line number	Original line	Diff line number	Diff line
	@@ -173,8 +173,10 @@ next_hook:
	outdev, &elem, okfn, hook_thresh);		outdev, &elem, okfn, hook_thresh);
	if (verdict == NF_ACCEPT \|\| verdict == NF_STOP) {		if (verdict == NF_ACCEPT \|\| verdict == NF_STOP) {
	ret = 1;		ret = 1;
	} else if (verdict == NF_DROP) {		} else if ((verdict & NF_VERDICT_MASK) == NF_DROP) {
	kfree_skb(skb);		kfree_skb(skb);
			ret = -(verdict >> NF_VERDICT_BITS);
			if (ret == 0)
	ret = -EPERM;		ret = -EPERM;
	} else if ((verdict & NF_VERDICT_MASK) == NF_QUEUE) {		} else if ((verdict & NF_VERDICT_MASK) == NF_QUEUE) {
	if (!nf_queue(skb, elem, pf, hook, indev, outdev, okfn,		if (!nf_queue(skb, elem, pf, hook, indev, outdev, okfn,