[nf-next,2/4] netfilter: xt_nat: drop packet earlier

Message ID	20241002155550.15016-3-fw@strlen.de
State	Accepted
Headers	show Return-Path: <netfilter-devel+bounces-4191-incoming=patchwork.ozlabs.org@vger.kernel.org> From: Florian Westphal <fw@strlen.de> To: <netfilter-devel@vger.kernel.org> Cc: Florian Westphal <fw@strlen.de> Subject: [PATCH nf-next 2/4] netfilter: xt_nat: drop packet earlier Date: Wed, 2 Oct 2024 17:55:40 +0200 Message-ID: <20241002155550.15016-3-fw@strlen.de> In-Reply-To: <20241002155550.15016-1-fw@strlen.de> References: <20241002155550.15016-1-fw@strlen.de> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	netfilter: use skb_drop_reason in more places \| expand [nf-next,0/4] netfilter: use skb_drop_reason in more places [nf-next,1/4] netfilter: xt_nat: compact nf_nat_setup_info calls [nf-next,2/4] netfilter: xt_nat: drop packet earlier [nf-next,3/4] netfilter: nf_nat: use skb_drop_reason [nf-next,4/4] netfilter: nf_tables: use skb_drop_reason

Message ID

20241002155550.15016-3-fw@strlen.de

State

Accepted

Headers

From: Florian Westphal <fw@strlen.de>
To: <netfilter-devel@vger.kernel.org>
Cc: Florian Westphal <fw@strlen.de>
Subject: [PATCH nf-next 2/4] netfilter: xt_nat: drop packet earlier
Date: Wed,  2 Oct 2024 17:55:40 +0200
Message-ID: <20241002155550.15016-3-fw@strlen.de>
In-Reply-To: <20241002155550.15016-1-fw@strlen.de>
References: <20241002155550.15016-1-fw@strlen.de>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

netfilter: use skb_drop_reason in more places | expand

Commit Message

Florian Westphal Oct. 2, 2024, 3:55 p.m. UTC

Let net dropmonitor pick up a more specific location rather than the
catchall core.c:nf_hook_slow drop point.

This isn't moved into nf_nat_setup_info() because we do not pass
the skb to it.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 net/netfilter/xt_nat.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/xt_nat.c b/net/netfilter/xt_nat.c
index d04f7cf6b94d..aaf31bd8381b 100644
--- a/net/netfilter/xt_nat.c
+++ b/net/netfilter/xt_nat.c
@@ -20,6 +20,7 @@  xt_nat_setup_info(struct sk_buff *skb,
 {
 	enum ip_conntrack_info ctinfo;
 	struct nf_conn *ct;
+	int ret;
 
 	ct = nf_ct_get(skb, &ctinfo);
 	if (WARN_ON(!ct))
@@ -30,7 +31,11 @@  xt_nat_setup_info(struct sk_buff *skb,
 	    (ctinfo == IP_CT_RELATED_REPLY && maniptype == NF_NAT_MANIP_SRC))))
 		return NF_ACCEPT;
 
-	return nf_nat_setup_info(ct, range, maniptype);
+	ret = nf_nat_setup_info(ct, range, maniptype);
+	if (ret != NF_DROP)
+		return ret;
+
+	return NF_DROP_REASON(skb, SKB_DROP_REASON_NETFILTER_DROP, EPERM);
 }
 
 static int xt_nat_checkentry_v0(const struct xt_tgchk_param *par)

[nf-next,2/4] netfilter: xt_nat: drop packet earlier

Commit Message

Patch