netfilter: allow hooks to pass error code back up the stack

SELinux would like to pass certain fatal errors back up the stack. This patch implements the generic netfilter support for this functionality. Based-on-patch-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Eric Paris <eparis@redhat.com> 2010-11-16 11:52:38 +0000
committer: David S. Miller <davem@davemloft.net> 2010-11-17 10:54:34 -0800
commit: da6836500414ae734cd9873c2d553db594f831e9 (patch)
tree: 1661f8ec37787e77e604a4f26574d48c57016ed4 /net
parent: 37d668004289d202f71dc5bfdadf6c18b34577a2 (diff)
download: op-kernel-dev-da6836500414ae734cd9873c2d553db594f831e9.zip
op-kernel-dev-da6836500414ae734cd9873c2d553db594f831e9.tar.gz
1 files changed, 4 insertions, 2 deletions
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 85dabb8..32fcbe2 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -173,9 +173,11 @@ next_hook:
 			     outdev, &elem, okfn, hook_thresh);
 	if (verdict == NF_ACCEPT || verdict == NF_STOP) {
 		ret = 1;
-	} else if (verdict == NF_DROP) {
+	} else if ((verdict & NF_VERDICT_MASK) == NF_DROP) {
 		kfree_skb(skb);
-		ret = -EPERM;
+		ret = -(verdict >> NF_VERDICT_BITS);
+		if (ret == 0)
+			ret = -EPERM;
 	} else if ((verdict & NF_VERDICT_MASK) == NF_QUEUE) {
 		if (!nf_queue(skb, elem, pf, hook, indev, outdev, okfn,
 			      verdict >> NF_VERDICT_BITS))
author	Eric Paris <eparis@redhat.com>	2010-11-16 11:52:38 +0000
committer	David S. Miller <davem@davemloft.net>	2010-11-17 10:54:34 -0800
commit	da6836500414ae734cd9873c2d553db594f831e9 (patch)
tree	1661f8ec37787e77e604a4f26574d48c57016ed4 /net
parent	37d668004289d202f71dc5bfdadf6c18b34577a2 (diff)
download	op-kernel-dev-da6836500414ae734cd9873c2d553db594f831e9.zip op-kernel-dev-da6836500414ae734cd9873c2d553db594f831e9.tar.gz