netfilter: allow hooks to pass error code back up the stack

SELinux would like to pass certain fatal errors back up the stack. This patch implements the generic netfilter support for this functionality. Based-on-patch-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Eric Paris <eparis@redhat.com> 2010-11-16 11:52:38 +0000
committer: David S. Miller <davem@davemloft.net> 2010-11-17 10:54:34 -0800
commit: da6836500414ae734cd9873c2d553db594f831e9 (patch)
tree: 1661f8ec37787e77e604a4f26574d48c57016ed4 /net/netfilter
parent: net/atm: Remove unnecessary casts of netdev_priv (diff)
download: linux-dev-da6836500414ae734cd9873c2d553db594f831e9.tar.xz
linux-dev-da6836500414ae734cd9873c2d553db594f831e9.zip
1 files changed, 4 insertions, 2 deletions
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 85dabb86be6f..32fcbe290c04 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -173,9 +173,11 @@ next_hook:
 			     outdev, &elem, okfn, hook_thresh);
 	if (verdict == NF_ACCEPT || verdict == NF_STOP) {
 		ret = 1;
-	} else if (verdict == NF_DROP) {
+	} else if ((verdict & NF_VERDICT_MASK) == NF_DROP) {
 		kfree_skb(skb);
-		ret = -EPERM;
+		ret = -(verdict >> NF_VERDICT_BITS);
+		if (ret == 0)
+			ret = -EPERM;
 	} else if ((verdict & NF_VERDICT_MASK) == NF_QUEUE) {
 		if (!nf_queue(skb, elem, pf, hook, indev, outdev, okfn,
 			      verdict >> NF_VERDICT_BITS))
author	Eric Paris <eparis@redhat.com>	2010-11-16 11:52:38 +0000
committer	David S. Miller <davem@davemloft.net>	2010-11-17 10:54:34 -0800
commit	da6836500414ae734cd9873c2d553db594f831e9 (patch)
tree	1661f8ec37787e77e604a4f26574d48c57016ed4 /net/netfilter
parent	net/atm: Remove unnecessary casts of netdev_priv (diff)
download	linux-dev-da6836500414ae734cd9873c2d553db594f831e9.tar.xz linux-dev-da6836500414ae734cd9873c2d553db594f831e9.zip