@@ -14,6 +14,7 @@
#include <linux/icmp.h>
#include <linux/slab.h>
#include <linux/module.h>
+#include <linux/netfilter.h>
#include <linux/skbuff.h>
#include <linux/random.h>
@@ -807,7 +808,7 @@ static int dccp_v4_rcv(struct sk_buff *skb)
const struct dccp_hdr *dh;
const struct iphdr *iph;
struct sock *sk;
- int min_cov;
+ int ret, min_cov;
/* Step 1: Check header basics */
@@ -857,6 +858,17 @@ static int dccp_v4_rcv(struct sk_buff *skb)
/*
* Step 2:
+ * ... or any LOCAL_SOCKET_IN rule disagrees ...
+ */
+ ret = nf_hook(NFPROTO_IPV4, NF_INET_LOCAL_SOCKET_IN, sk,
+ skb, skb->dev, NULL, NULL);
+ if (ret != 1) {
+ sock_put(sk);
+ return 0;
+ }
+
+ /*
+ * Step 2:
* ... or S.state == TIMEWAIT,
* Generate Reset(No Connection) unless P.type == Reset
* Drop packet and return
@@ -14,6 +14,7 @@
#include <linux/module.h>
#include <linux/random.h>
+#include <linux/netfilter.h>
#include <linux/slab.h>
#include <linux/xfrm.h>
@@ -691,7 +692,7 @@ static int dccp_v6_rcv(struct sk_buff *skb)
{
const struct dccp_hdr *dh;
struct sock *sk;
- int min_cov;
+ int ret, min_cov;
/* Step 1: Check header basics */
@@ -732,6 +733,17 @@ static int dccp_v6_rcv(struct sk_buff *skb)
/*
* Step 2:
+ * ... or any LOCAL_SOCKET_IN rule disagrees ...
+ */
+ ret = nf_hook(NFPROTO_IPV6, NF_INET_LOCAL_SOCKET_IN, sk,
+ skb, skb->dev, NULL, NULL);
+ if (ret != 1) {
+ sock_put(sk);
+ return 0;
+ }
+
+ /*
+ * Step 2:
* ... or S.state == TIMEWAIT,
* Generate Reset(No Connection) unless P.type == Reset
* Drop packet and return
Run the NF_INET_LOCAL_SOCKET_IN netfilter chain rules after the destination socket for DCCP packets have been looked up. Signed-off-by: Daniel Mack <daniel@zonque.org> --- net/dccp/ipv4.c | 14 +++++++++++++- net/dccp/ipv6.c | 14 +++++++++++++- 2 files changed, 26 insertions(+), 2 deletions(-)