From patchwork Tue Sep 29 11:12:20 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Mack X-Patchwork-Id: 523776 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 0B022140180 for ; Tue, 29 Sep 2015 21:12:58 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934750AbbI2LMw (ORCPT ); Tue, 29 Sep 2015 07:12:52 -0400 Received: from svenfoo.org ([82.94.215.22]:60193 "EHLO mail.zonque.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934735AbbI2LMk (ORCPT ); Tue, 29 Sep 2015 07:12:40 -0400 Received: from localhost (localhost [127.0.0.1]) by mail.zonque.de (Postfix) with ESMTP id CF3C1C0536; Tue, 29 Sep 2015 13:12:38 +0200 (CEST) Received: from mail.zonque.de ([127.0.0.1]) by localhost (rambrand.bugwerft.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o6ZWuwZE9dHh; Tue, 29 Sep 2015 13:12:38 +0200 (CEST) Received: from cacofonix.fritz.box (p5489569F.dip0.t-ipconnect.de [84.137.86.159]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.zonque.de (Postfix) with ESMTPSA id 5C59FC053B; Tue, 29 Sep 2015 13:12:38 +0200 (CEST) From: Daniel Mack To: pablo@netfilter.org Cc: daniel@iogearbox.net, netfilter-devel@vger.kernel.org, netdev@vger.kernel.org, fw@strlen.de, balazs.scheidler@balabit.com, Daniel Mack Subject: [PATCH RFC 7/7] net: dccp: hook up LOCAL_SOCKET_IN netfilter chains Date: Tue, 29 Sep 2015 13:12:20 +0200 Message-Id: <1443525140-13493-8-git-send-email-daniel@zonque.org> X-Mailer: git-send-email 2.5.0 In-Reply-To: <1443525140-13493-1-git-send-email-daniel@zonque.org> References: <1443525140-13493-1-git-send-email-daniel@zonque.org> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Run the NF_INET_LOCAL_SOCKET_IN netfilter chain rules after the destination socket for DCCP packets have been looked up. Signed-off-by: Daniel Mack --- net/dccp/ipv4.c | 14 +++++++++++++- net/dccp/ipv6.c | 14 +++++++++++++- 2 files changed, 26 insertions(+), 2 deletions(-) diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c index ccf4c56..9746138 100644 --- a/net/dccp/ipv4.c +++ b/net/dccp/ipv4.c @@ -14,6 +14,7 @@ #include #include #include +#include #include #include @@ -807,7 +808,7 @@ static int dccp_v4_rcv(struct sk_buff *skb) const struct dccp_hdr *dh; const struct iphdr *iph; struct sock *sk; - int min_cov; + int ret, min_cov; /* Step 1: Check header basics */ @@ -857,6 +858,17 @@ static int dccp_v4_rcv(struct sk_buff *skb) /* * Step 2: + * ... or any LOCAL_SOCKET_IN rule disagrees ... + */ + ret = nf_hook(NFPROTO_IPV4, NF_INET_LOCAL_SOCKET_IN, sk, + skb, skb->dev, NULL, NULL); + if (ret != 1) { + sock_put(sk); + return 0; + } + + /* + * Step 2: * ... or S.state == TIMEWAIT, * Generate Reset(No Connection) unless P.type == Reset * Drop packet and return diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c index 5165571..63b51e6 100644 --- a/net/dccp/ipv6.c +++ b/net/dccp/ipv6.c @@ -14,6 +14,7 @@ #include #include +#include #include #include @@ -691,7 +692,7 @@ static int dccp_v6_rcv(struct sk_buff *skb) { const struct dccp_hdr *dh; struct sock *sk; - int min_cov; + int ret, min_cov; /* Step 1: Check header basics */ @@ -732,6 +733,17 @@ static int dccp_v6_rcv(struct sk_buff *skb) /* * Step 2: + * ... or any LOCAL_SOCKET_IN rule disagrees ... + */ + ret = nf_hook(NFPROTO_IPV6, NF_INET_LOCAL_SOCKET_IN, sk, + skb, skb->dev, NULL, NULL); + if (ret != 1) { + sock_put(sk); + return 0; + } + + /* + * Step 2: * ... or S.state == TIMEWAIT, * Generate Reset(No Connection) unless P.type == Reset * Drop packet and return